My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Dmservinf.A

MEDIUM
HIGH
98,304 (executable) 62,464 (dll)
(Trojan:win32/Mesoum.A Trj/Multidropper.ROM TR/Patched.BU.6 )

Symptoms

Presence in %windir%\system32 directory of files named w*nte.dll, *esl.dll, msfont*.dll. These are used as temporary files in the infection process.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Deac Razvan-Ioan, virus researcher

Technical Description:

    When the executable part of this trojan is ran it drops a dynamic library file in the temp directory of the current user. This dll has a random name such as 97a2ljq.tmp. The executable also infects a dll located in system32 directory and makes it load the malicious file it dropped before. After this it uses an export from the dropped dll to delete itself.
   
    Once it is loaded, the malicious dll tryes to close services belonging to some av products, it infects other dlls in the system32 directory to load the malware and it downloads other malicious files from locations such as:

    * http://www.adobeliveupdates.net/flash/rVGc...K26474/JVBMO6KVF9oF.asf
    * http://www.adobeliveupdates.net/flash/rVG...CK26474/JVBMO6KVF9oF.gif
    * http://www.msmsnliveupdates.net/Script/Xp...Gp11449/CjGBFgSSVJrxJ.bmp
    * http://www.msmsnliveupdates.net/Script/Xp...Gp11449/CjGBFgSSVJrxJ.mp3
    * http://www.msmsnliveupdates.net/flash/rVG...GCK26474/JVBMO6KVF9oF.asf
    * http://www.msmsnliveupdates.net/flash/rVG...K26474/JVBMO6KVF9oF.gif