Trojan.Loader.N
MEDIUM
MEDIUM
~ 12 kB
(Trojan.Kobcka, Trojan-Downloader.Win32.Mutant, TrojanDownloader:Win32/Cutwail, Trojan.Pandex, Win32/Wigon)
Symptoms
Increased network activity.
Presence of the specified files and registry keys.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Dan Anton, virus researcher
Technical Description:
The virus acts like a loader for an encrypted PE file contained in the virus body. After the payload has been decrypted, the control of the program is passed to the contained executable.
After executed, the virus adds the registry value in order to run at every system start-up:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = "advap32"
This contained malware file is detected as Trojan.Kobcka.DO and acts like a downloader. The malware tries several urls:
75.126.22.226 (citycentre2.dk)
75.125.207.50 (server.microlite18.com)
75.125.207.82 (server.host53.com)
208.66.195.71
208.66.194.236
using the HTTP 80 port, and downloads several other malware files known as:
Trojan.Kobcka.DT
Trojan.Downloader.Agent.ZJA.
These are stored as: "%Temp%\BN[random_digit].tmp", are executed and download other malware, as well.
The downloaded files are components of a SPAM bot trojan designed to launch massive SPAM attacks from the compromised system.
SHARE
THIS ON