TROJ_DLOADR.CDS

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Profile%\Application Data\Microsoft\Media Player\DRM251\msime32.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
msime32.exe = "%User Profile%\Application Data\Microsoft\Media Player\DRM251\msime32.exe"

Download Routine

This Trojan downloads updated copies of itself from the following websites:

• http://{BLOCKED}datefree.zoka.cc/patch/chkupdate.php?{random characters}
• http://{BLOCKED}datefree.zoka.cc/patch/update.php?{random characters}

It saves the files it downloads using the following names:

• %User Profile%\Application Data\Microsoft\Media Player\DRM251\sfnmtcr.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.