JAVA_DLOAD.ABR
October 09, 2012
PLATFORM:
Windows 2000, Windows XP, Windows Server 2003
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan executes when a user accesses certain websites where it is hosted.
TECHNICAL DETAILS
File Size: Varies
File Type: Java Class
Initial Samples Received Date: 08 May 2012
Arrival Details
This Trojan executes when a user accesses certain websites where it is hosted.
NOTES:
This Trojan downloads from the URL specified in the parameter kpv and saves it as any of the following:
- %User Temp%\mtsopeqtwy.exe
- %User Temp%\nkvowpglfkcyhbhmzkkhmzkkhctcmi.exe
- %User Temp%\iqiytskokmsfneyainemv.exe
- %User Temp%\fxdyirjukoipmiy.exe
- %User Temp%\rceuamsnepddiwzyrcvlbd.exe
- %User Temp%\xtyighmqqdkl.exe
- %User Temp%\buszugkquhgatllw.exe
- %User Temp%\kyehxbvvcihyukkmidji.exe
- %User Temp%\tuqhrjcxhxmswqztsvpu.exe
- %User Temp%\xnyammwmdnosxanjlzowtugxv.exe
It then executes the downloaded file.
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)