Troj/Fgbot-A is a Trojan for the Windows platform.
When first run Troj/Fgbot-A copies itself to <System>\fgsrv.exe or <System>\fgsrv2.exe and creates some of the following files:
<System>\dofcfg.dll
<System>\fgsrv.dll
<System>\fgsrv2.dll
<System>\phffg.dll
<System>\ulffg.dll
<System>\flffg.dll
<System>\upfg.exe
<System>\rufg.exe
The file dofcfg.dll is a data file containing an encrypted version of the Trojan and is not executable. fgsrv.dll and fgsrv2.dll are also detected as Troj/Fgbot-A and will drop the main file again if deleted. phffg.dll is detected as Troj/RKFg-A and may be used to provide stealthing.
The following registry entry is created to run code exported by the Trojan library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
fgsrv
<random clsid>
The file fgsrv.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\<random clsid>
Troj/Fgbot-A may set an entry at the following location in the registry in order to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
<single space>
Troj/Fgbot-A attempts to contact a remote website to receive instructions on how to behave, including modifying the HOSTS file and downloading and executing files from remote locations.
Some of the following registry entries may be set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGRunFrom
<pathname of the original Trojan executable>
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGVersion
1.1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGNOINSTALL
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGID
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
FGComment
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
SizeOfFormLogFile