TROJ_HTPIC.A
Trojan.Win32.Sulunch (Ikarus), Trojan:Win32/Meredrop (Microsoft)
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes then deletes itself afterward.
TECHNICAL DETAILS
Varies
EXE
02 Jul 2012
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %Application Data%\htmen4.ds
- %Application Data%\htmeni.ds
- %Application Data%\htmenm.ds
- %Application Data%\htmenx.ds
- %Application Data%\xss.bat
- %User Temp%\{random file name}.bat
- %Program Files%\Java\jre6\bin\bin\java.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)
It drops the following copies of itself into the affected system:
- %Application Data%\dspic.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %Windows%\amd32_lux\config
- %Program Files%\Java\jre6\bin\bin
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %Program Files% is the default Program Files folder, usually C:\Program Files.)
It executes then deletes itself afterward.
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
JavaUpdate = "%Program Files%\Java\jre6\bin\bin\java.exe netid/"