TROJ_CHEPVIL.SM

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes itself after execution.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This Trojan drops and executes the following files:

• %System%\mlcqdcsk.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.{BLOCKED}.220.52/lol2.exe
• http://{BLOCKED}.{BLOCKED}.220.52/pod.exe
• http://{BLOCKED}.{BLOCKED}.220.52/spm.exe

It saves the files it downloads using the following names:

• %System Root%\Documents and Settings\Administrator\Local Settings\Temp\spm.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan connects to the following possibly malicious URL:

• http://{BLOCKED}myqeg.com/1017000413
• http://{BLOCKED}.{BLOCKED}.193.20/service/listener.php?affid=50039
• http://{BLOCKED}.{BLOCKED}.193.20/service/scripts/files/aff_50039.dll
• http://{BLOCKED}.{BLOCKED}.193.20/service/listener.php?affid=50039
• http://{BLOCKED}.{BLOCKED}.88.10//srv
• http://{BLOCKED}.{BLOCKED}.88.10//dll
• http://{BLOCKED}.{BLOCKED}.193.20/service/scripts/files/aff_50039.dll
• http://{BLOCKED}.{BLOCKED}.193.138/xxxx_2/MDUwNTZjMDA4fDUwMDM5fDB8M3wxZTd8NS4xIDI2MDAgU1AzLjB8MHwwfHBybjE0

It deletes itself after execution.