TROJ_DROPPER.TKD

This Trojan is related to a possible targeted attack.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

It uses legitimate program files in its attachments in order to hide its malicious routines.

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This Trojan drops the following files:

• %User Profile%Application Data\Locations\winhlps.exe - detected as BKDR_SMALL.NAE

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following non-malicious file:

• %User Temp%\{random}.doc

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%Application Data\Locations

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Dropping Routine

This Trojan executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

NOTES:
It drops a non-malicious Microsoft Word document in order to mask the malicious routines it performs.