TROJ_DLOADER.FMS
ARC:RAR, ARC:[1.doc]:Embedded (Kaspersky), Trojan.ADH.2 (Symantec), Trojan.Win32.Generic!BT (Sunbelt), PUA.Win32.Packer.Armadillo-92 (Clamav), Trojan-Downloader, Trojan-Downloader (Ikarus), probably unknown NewHeur_PE virus, probably unknown NewHeur_PE virus (NOD32), New unknown virus W32/Obfuscated.D3!genr (Norman), [WINWORD.exe]:Suspicious file (Panda), is suspected of Trojan.Downloader.gen.h (VBA32)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.
It uses common file icons to trick a user into thinking that the files are legitimate. The dropped file is injected in all running processes.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be manually installed by a user.
Installation
This Trojan drops the following component file(s):
- %User Temp%\WINWORD.EXE
- %User Temp%\1.doc
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It uses common file icons to trick a user into thinking that the files are legitimate.
The dropped file is injected in all running processes.
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
load = %User Temp%\WINWORD.exe
Download Routine
This Trojan connects to the following URL(s) to download its component file(s):
- http://{BLOCKED}t.{BLOCKED}t.com/images/index.html
- http://www.{BLOCKED}soft.com/images/index.html