TROJ_DLOADR.BWM

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan downloads the file from the following URL and renames the file when stored in the affected system:

• http://{BLOCKED}chingsolution.com/images/tere2611.exe
• http://{BLOCKED}oaching.com/wp-content/uploads/2013/01/tere2611.exe
• http://{BLOCKED}nclasses.org/images/tere2611.exe
• http://{BLOCKED}nvithani.com/images/tere2611.exe

It saves the files it downloads using the following names:

• %User Temp%\{random file name}.exe - Detected as TSPY_ZBOT.YNI
• %Temporary Internet Files%\Content.IE5\{random folder name}\tere2611[1].exe - Detected as TSPY_ZBOT.YNI

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Temporary Internet Files% is the Temporary Internet Files folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Microsoft\Windows\Temporary Internet Files on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.