Analysis by: Jed Valderama
ALIASES:

Backdoor:Win32/Caphaw.K (Microsoft)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It downloads a file from a certain URL then renames it before storing it in the affected system. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes itself after execution.

  TECHNICAL DETAILS

Tamaño del archivo 135,168 bytes
Tipo de archivo EXE
Fecha de recepción de las muestras iniciales 24 Aug 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan downloads files from the following URLs then renames them before storage in the affected system:

  • {BLOCKED}-upd.at
  • {BLOCKED}ervise.cc

It saves the files it downloads using the following names:

  • %User Temp%\{random letter}.tmp.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan deletes itself after execution.