Trojan.Kotver is a Trojan horse that performs click-fraud operations on the compromised computer.
Once executed, the Trojan checks if Windows PowerShell is installed on the compromised computer. If Windows PowerShell is installed, the Trojan creates multiple registry entries.
If the compromised computer does not have Windows PowerShell installed, the Trojan will create a copy of itself in the following location:
%UserProfile%\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].exe
The Trojan will then create multiple registry entries.
The Trojan injects itself into the following Windows process:
Next, the Trojan connects to the following remote location:
The Trojan may download additional software onto the compromised computer, such as the following:
- Microsoft .NET Runtime
- Microsoft Internet Explorer
- Adobe Flash Player
The Trojan then performs click-fraud operations which involves covertly downloading large numbers of online advertisements onto the compromised computer and then automatically clicking or interacting with them with a view to earning fraudulent advertising revenue for the attacker.
To remove this malware, use the Trojan.Kotver Removal Tool