CHM_DROPPER.VTG

This Trojan arrives as attachment to mass-mailed email messages. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives as attachment to mass-mailed email messages.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %Windows%\Downloaded Program Files\comctr.inf

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops and executes the following files:

• %System%\comctr.dll
• %System%\oci.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSDTC
Start = 2

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSDTC
ObjectName = LocalSystem

(Note: The default value data of the said registry entry is NT AUTHORITY\NetworkService.)

Download Routine

This Trojan connects to the following malicious URLs:

• http://jpgame.{BLOCKED}et.org

As of this writing, the said sites are inaccessible.