Downloader.Picproot is a recently discovered Trojan horse that is detected by Symantec. The Trojan affects the Windows operating system. Even though its threat level is considered low, Downloader Picproot should be removed timely so that severe consequences are avoided. A full system scan performed by a legitimate AV solution is recommended before any other actions are taken.
Downloader.Picproot General Description and Distribution
The Trojan horse affects the following, as reported by security researchers:
- Windows 2000.
- Windows 7.
- Windows 95.
- Windows 98.
- Windows Me.
- Windows NT.
- Windows Vista.
- Windows XP.
Users should note that Downloader.Picproot may be dropped by a binary file that has been attached to an email message. Be sure always to analyze received emails before opening anything. Various types of malware may be distributed through the execution of malicious email attachments and corrupted hyperlinks. If the user is tricked into executing the binary, Downloader.Picproot may start copying itself to:
- %UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll
- %UserProfile%\Application Data\Microsoft\Credentials\Credentials.exe
- %UserProfile%\Application Data\Microsoft\SystemCertificates\CREDRIVER.dll
- %UserProfile%\Application Data\Microsoft\SystemCertificates\Desktop.ini
Then, Downloader.Picproot may proceed towards creating the following files:
- %UserProfile%\Application Data\Microsoft\Credentials\Credentials.dat
- %UserProfile%\Application Data\Microsoft\Credentials\Credentials.bak
- %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].tmp
- %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi
After performing those malicious activities, the Trojan may delete files with the .dta extension. Such files may be located in
Next on the list of Downloader.Picproot is creating a new registry entry so that the threat runs every time the Windows is rebooted:
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Credentials” = “rundll32.exe “%UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll”,Embedding”
Also, keep in mind that Trojans can modify the Windows registry. In the case of Downloader.Picproot the following registry key may be altered:
→HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\”forceguest” = “0”
Then, the Trojan is activating the user’s HelpAssistant and adding it to the Administrators group. This is done so that Downloader.Picproot controls the incoming traffic through TCP ports 135, 139, and 445. Trojan horses are also known to connect to remote locations. Downloader.Picproot does not make an exception. Here is a list of possible remote servers that the malware may connect to:
→air88.ns01.us, info.acmetoy.com, ware.compress.to, bbs.ccdog.net, ph11.dns1.us, 18.104.22.168, cham.com.tw
The final touch of the threat is downloading a corrupted image file and saving it to %UserProfile%\Application Data\Tasks\Zup[ONE OR MORE LETTER FILE NAME].tmp or %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi. Finally, the payload is decrypted and hidden from the user.
Downloader.Picproot Removal Options
Affected users should proceed towards scanning the system as soon as possible. Install a trustworthy anti-malware program to detect and eliminate the threat. For future reference, always analyze incoming emails to bypass infecting the system.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter