Malware Advisories

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm arrives as attachment to email messages spammed by another malware or a malicious user. It may be dropped by other malware.

It may be downloaded from a remote site. This worm drops copies of itself. Note that the drop paths are harcoded within this worm's code. However, this dropping routine fails to execute on systems running Windows 2000 and Windows NT.

This worm creates registry entries to enable its automatic execution at every system startup.

This worm sends email using MAPI (Messaging Application Programming Interface) via MS Outlook. It sends email to all addresses listed in the MS Outlook address book with copies of itself as attachments.

It may also connect to Web sites to download an updated copy of itself. However, the said Web sites are inaccessible as of this writing.

This worm drops a copy of itself upon execution.

Through system registry modification, it then registers itself as a system service to ensure its automatic execution at every system startup.

To propagate, it drops copies of itself in all available physical and removable drives. It drops a file that allows it to automatically execute dropped copies when the drives are accessed.

File infectors infect executable files, usually Windows portable executables. They infect by incorporating their malicious code into executable files such that when the infected file is opened, the malicious code is also executed.

File infectors may come with other capabilities. Many viruses open backdoor access ports that allow remote users to manipulate affected systems, while some can spread into other computers.

Infected files are typically cleanable - they can be reverted back to their clean states. However, restoring affected systems may require procedures other than scanning with an antivirus program.

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

This Trojan may be downloaded from a remote site. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, this Trojan drops several component files, some of which are detected by Trend Micro as BKDR_SMALL.EKS. It then executes the dropped files. As a result, malicious routines of the dropped files are exhibited on the affected system. It then registers itself as a system service to ensure its automatic execution at every system startup.

It adds a reference to a non-existent file to the Layered Service Provider (LSP) chain by modifying a registry entry. It deletes itself after execution.

It connects to URLs to download malicious files detected by Trend Micro as follows:

• TROJ_PROSCKS.AG
• TROJ_PROSCKS.AF
• TROJ_GAMETHIE.EU
• TROJ_DLOADER.AAAG
• TROJ_PROSCKS.AC
• DIAL_CBHQ
• TSPY_ONLINEG.RMH
• TSPY_GAMPASS.EU

It saves the downloaded files in the Windows system folder. It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites. It may arrive as a .DLL file that exports functions used by other malware.

It is injected into processes running in memory.

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware.

It drops copies of itself. It drops files/components.

It creates registry entries to enable its automatic execution at every system startup. It also creates and modifies registry key(s)/entry(ies) as part of its installation routine.

It drops component files.

It deletes itself after execution.

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites. It may arrive as a .DLL file that exports functions used by other malware. It is injected into processes running in memory.

It is a component of the following malware families:

• TSPY_LINEAGE
• WORM_LINEAGE

It is used by other malware for its information theft functionalities. However, it requires its main component to perform its intended routine.

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites. It may arrive as a .DLL file that exports functions used by other malware.

It drops copies of itself. It is injected into processes running in memory.

It accesses Web sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

This Trojan may be downloaded from certain remote sites by HTML_DLOADER.PCS.

It drops a copy of itself upon execution and then registers itself as a system service to ensure its automatic execution at every system startup.

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates a registry entry for certain application names located under a certain key. This routine prevents the affected applications from running.

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It accesses several URLs to download malicious files. It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops files/components.

It creates registry entries to enable its automatic execution at every system startup.

It drops copies of itself in all physical drives. It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.