TROJ_DLOADER.YNLA

This Trojan may be downloaded by other malware/grayware from remote sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• TROJ_PIDIEF.YNLA

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}iaingenieria.es/111
• http://{BLOCKED}nces-immobilier.com/111
• http://{BLOCKED}rprincesse.web.{BLOCKED}2.com/111
• http://{BLOCKED}ild.com/111
• http://{BLOCKED}afari.com/111
• http://{BLOCKED}s.{BLOCKED}i.ro/111
• http://{BLOCKED}o.web.{BLOCKED}2.com/111
• http://{BLOCKED}a.com/111
• http://{BLOCKED}cgeneration.com/111
• http://{BLOCKED}i.{BLOCKED}5.eu/111
• http://{BLOCKED}a.es/111
• http://{BLOCKED}eria.com/111
• http://{BLOCKED}orgeous.com/111
• http://{BLOCKED}b.com/111
• http://{BLOCKED}dubai.com/111
• http://{BLOCKED}liariarobinson.com/111
• http://{BLOCKED}nin.cba.pl/111
• http://{BLOCKED}s.net/111
• http://{BLOCKED}s.net.pl/111
• http://{BLOCKED}k.{BLOCKED}r.ru/111
• http://{BLOCKED}oteles.pt/111
• http://{BLOCKED}331.{BLOCKED}ver.de/111
• http://{BLOCKED}air.com/111
• http://{BLOCKED}r.com/111
• http://{BLOCKED}iaz.net/111
• http://{BLOCKED}v.com/111
• http://{BLOCKED}k.{BLOCKED}o.ro/111
• http://www.{BLOCKED}eboer.com/111
• http://www.{BLOCKED}r.it/111

It saves the files it downloads using the following names:

• %User Temp%\mss{random}.exe - TSPY_ZBOT.YNLA

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.