TROJ_MDROP.ZTBJ

This is a malicious PowerPoint file, whose final payload is slide1.gif, TROJ_TALERET.ZTBJ-A. The payload is a known family of malware used in targeted attacks involving different Taiwanese industries and government organizations.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan arrives as an attachment to email messages mass-mailed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Arrival Details

This Trojan arrives as an attachment to email messages mass-mailed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %User Temp%\slide1.gif - detected as TROJ_TALERET.ZTBJ-A
• %User Temp%\slides.inf - detected as INF_BLACKEN.D

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Dropping Routine

This Trojan takes advantage of the following software vulnerabilities to drop malicious files:

• (MS14-060) Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869)

It executes the dropped file. As a result, malicious routines of the dropped file are exhibited on the affected system.