TROJ_MEBRATIX.B

It deletes the created folder.

The dropped files contain the data that it writes into the MBR (Master Boot Record). This routine enables it to start even before the operating system is loaded.

It creates the following events:

- MPMon_6934D571-115B-4830-AC5C-02A0D08179C5

- Jiangmin_WallNotify_Notify

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %Windows%\tasks\{random number}.job
• %Program Files%\qq{random number}.txt

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It creates the following folders:

• C:\Program Files (x86)

Other System Modifications

This Trojan deletes the following folders:

• C:\Program Files (x86)

Dropping Routine

This Trojan drops the following files:

• %User Temp%\t.bat
• %Desktop%\ÍøÖ·µ¼º½.url

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003.)

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http://union.{BLOCKED}9.cn/n.txt

It saves the files it downloads using the following names:

• %Windows%\temp.txt

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://union.{BLOCKED}9.cn/count.aspx?i={random}