JAVA_BANLOAD.YWNUN
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It accesses websites to download files. This action allows this malware to possibly add other malware on the affected computer.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This Trojan drops the following files:
- %User Profile%\AppData\Roaming\local
- %User Profile%\AppData\Roaming\com.json
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It creates the following folders:
- %User Profile%\AppData\Roaming\globo.com
- %User Profile%\AppData\Roaming\Sun
Download Routine
This Trojan accesses websites to download the following files:
- %User Profile%\AppData\Roaming\globo.com\globo.h
- %User Profile%\AppData\Roaming\Sun\help.j
Other Details
This Trojan connects to the following possibly malicious URL:
- https://www.google.com.br/?g{BLOCKED}q=install+pdf
- http://{BLOCKED}.{BLOCKED}.59.211/verde/aa/inf.php?
- http://{BLOCKED}.{BLOCKED}.59.211/ref/w123.hlp
- http://{BLOCKED}.{BLOCKED}.59.211/ref/s123.hlp
- http://{BLOCKED}.{BLOCKED}.59.211/ref/update.hlp