TROJ_ANDROM.P
Trojan:Win32/Bublik.B (Microsoft), Generic BackDoor.u (McAfee), Backdoor.Win32.Androm (Ikarus)
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.
It executes then deletes itself afterward.
TECHNICAL DETAILS
143,872 bytes
EXE
Yes
13 Aug 2012
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It may be downloaded by other malware/grayware/spyware from remote sites.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %System%\{random file name}
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It executes then deletes itself afterward.
Autostart Technique
This Trojan adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:
HKLM\Software\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
userinit.exe
Debugger = "{random file name}"
Other Details
This Trojan connects to the following possibly malicious URL:
- armyclub.{BLOCKED}kring.net
- genubajom.{BLOCKED}ame.com
- {BLOCKED}ing.net
- rivadolti.{BLCOKED}tp.com
- {BLOCKED}l.net
- tekiharob.{BLOCKED}s.net