TROJ_CAPHAW.CDF
Backdoor:Win32/Caphaw.K (Microsoft)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It downloads a file from a certain URL then renames it before storing it in the affected system. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
It deletes itself after execution.
TECHNICAL DETAILS
135,168 bytes
EXE
24 Aug 2012
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan downloads files from the following URLs then renames them before storage in the affected system:
- {BLOCKED}-upd.at
- {BLOCKED}ervise.cc
It saves the files it downloads using the following names:
- %User Temp%\{random letter}.tmp.
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
Other Details
This Trojan deletes itself after execution.