arrow_back
search
close

TROJ_DABVEGI.C

October 08, 2012
 Analysis by: Christopher Daniel So
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

  TECHNICAL DETAILS

File Size:

167,936 bytes

File Type:

PE

Memory Resident:

No

Initial Samples Received Date:

03 Sep 2010

Installation

This Trojan drops the following copies of itself into the affected system:

  • %User Temp%\mkii\win.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %User Temp%\mkii
  • %Program Files%\{random folder name}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

Dropping Routine

This Trojan drops the following files:

  • %Program Files%\{random folder name}\xde4444jhc.exe - detected as TROJ_DABVEGI.B
  • %Program Files%\{random folder name}\scrypt.exe - detected as TSPY_ZBOT.SMDM

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

  • http://www.{BLOCKED}hanin.org/bbs/data/fl.zf - detected as TSPY_ZBOT.MDM