TROJ_DLODR.TMP

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may arrive bundled with malware packages as a malware component. It may be unknowingly downloaded by a user while visiting malicious websites.

It bears the file icons of certain applications to avoid easy detection and consequent removal.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It may arrive bundled with malware packages as a malware component.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Temp%\.exe
• %System%\2056\iissync.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

• %Current Folder%\{russian text}.du - non malicious document
• %Windows%\config\usbscanlog.dat - non malicious

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It bears the file icons of the following applications:

• Microsoft Word

It creates the following folders:

• %Application Data%\Microsoft Office
• %System%\2056

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• LLHTTPSCA

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders
Common Startup = %System%\2056

(Note: The default value data of the said registry entry is %Start Menu%\Programs\Startup.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
Common Startup = %System%\2056

(Note: The default value data of the said registry entry is %Start Menu%\Programs\Startup.)

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• press.{BLOCKED}e-helppane.com
• press.{BLOCKED}x-pro.com
• press.{BLOCKED}l-pro.com

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

NOTES:
Initially, it creates a temporary file, %User Temp%\tmp{random}.EXE then renames it to %User Temp%\.EXE.

The temporary file is deleted and the new copy is then executed. It also creates a non malicious document in the current directory, then attempts to open it.

When translated in English, its file name says:

• About the political situation in Yemen (reference)

Below is a screenshot of the document:

Download Routine

Currently, the malware was unable to download other files.

Other Details

This malware finds the following location and executes all .EXE and .BAT files found:

• %Application Data%\Microsoft Office

It also copies the contents of the Startup folder %Start Menu%\Programs\Startup to %System%\2056 so that the user does not suspect any changes to the startup settings.

The malware may be bundled with other files such as %System%\tracert.DLL since it is trying to locate this file before doing some of its routines.