Welcome to the Virus Encyclopedia of Panda Security.
FTLog.A carries out the following actions:
- It reaches the computer via the social network Fotolog in a link enticing users to watch a video. This information is detailed below in the section Means of transmission.
- If users follow the malicious link, a website is displayed requiring users to install a certain codec in order to watch the video:
- Once the codec is installed, users are redirected to a website for adults from whcih the file called SETUP.EXE is downloaded:
- This file belongs to a plugin called MediaPass Plugin which, once downloaded, is installed in the computer:
- Once installed, two different websites are displayed:
- The first of them belong to a website that informs users that they have won a prize and in order to get it they have to enter certain data:
- The second one is a website that contains videos for adults:
- If users click on any of the images belonging to the videos, another file will be downloaded. Once this file is run, it installs a hotbar, which allows to customize and add different applications to the browser.
- Additionally, it modifies the Start Page and changes it to the following, a search engine that allows to do searches of pages, videos and news, among others:
- When users are browsing through the Internet, it displays different pop-up ads related to the type of websites users visit. This does not allow users to browse through the Internet as usual.
FTLog.A creates the following DLLs (Dynamic Link Library) in the Windows system directory:
- 5SY5WVTUMOKH.DLL. It is injected into Internet Explorer in order to display pop-up ads while users are browsing through the Internet.
- T-XV0Q7O-_.DLL. It is injected into Firefox in order to display pop-up ads while users are browsing through the Internet.
FTLog.A creates the following entry in the Windows Registry:
FTLog.A modifies the following entry from the Windows Registry in order to change the Internet Explorer Start Page:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Start Page = %start page selected by the user%
It changes this entry to:
Start Page = http://www3.iam<blocked>red.net/
Means of transmission
FTLog.A is distributed via the photo-blogging and social networking site called Fotolog. In order to do so, it publishes comments which contain a link to a video, as can be seen in the image below:
If users follow the link, the infection process of FTLog.A will start.
FTLog.A is 233,000 bytes in size.