TROJ_CHEPVIL.SM
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This Trojan drops and executes the following files:
- %System%\mlcqdcsk.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- http://{BLOCKED}.{BLOCKED}.220.52/lol2.exe
- http://{BLOCKED}.{BLOCKED}.220.52/pod.exe
- http://{BLOCKED}.{BLOCKED}.220.52/spm.exe
It saves the files it downloads using the following names:
- %System Root%\Documents and Settings\Administrator\Local Settings\Temp\spm.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}myqeg.com/1017000413
- http://{BLOCKED}.{BLOCKED}.193.20/service/listener.php?affid=50039
- http://{BLOCKED}.{BLOCKED}.193.20/service/scripts/files/aff_50039.dll
- http://{BLOCKED}.{BLOCKED}.193.20/service/listener.php?affid=50039
- http://{BLOCKED}.{BLOCKED}.88.10//srv
- http://{BLOCKED}.{BLOCKED}.88.10//dll
- http://{BLOCKED}.{BLOCKED}.193.20/service/scripts/files/aff_50039.dll
- http://{BLOCKED}.{BLOCKED}.193.138/xxxx_2/MDUwNTZjMDA4fDUwMDM5fDB8M3wxZTd8NS4xIDI2MDAgU1AzLjB8MHwwfHBybjE0
It deletes itself after execution.