TROJ_DLOADR.UDB

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Temp%\hcbnaf.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Download Routine

This Trojan accesses the following websites to download files:

• https://{BLOCKED}yourwife.co.uk/plugins/system/Update.exe
• https://{BLOCKED}k.com/help/index.exe
• https://{BLOCKED}aterexcitement.com/files/nbt.exe

It saves the files it downloads using the following names:

• %User Temp%\hgnddkje.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Trend Micro detects the dowloaded file as:

• TSPY_ZBOT.KNR
• TSPY_ZBOT.BDU

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

NOTES:

The initial sample will drop a copy of itself, then the copy will delete the initial sample.