TROJ_DABVEGI.C
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %User Temp%\mkii\win.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %User Temp%\mkii
- %Program Files%\{random folder name}
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)
Dropping Routine
This Trojan drops the following files:
- %Program Files%\{random folder name}\xde4444jhc.exe - detected as TROJ_DABVEGI.B
- %Program Files%\{random folder name}\scrypt.exe - detected as TSPY_ZBOT.SMDM
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- http://www.{BLOCKED}hanin.org/bbs/data/fl.zf - detected as TSPY_ZBOT.MDM