Follow:

 

TrojanDownloader:MSIL/Truado.C


Microsoft security software detects and removes this threat.
 
This trojan downloads and installs other programs without your consent, including other malware.
 
This threat makes itself look like an Adobe update to trick you into installing it. It is usually download from a malicious website.


What to do now

The following Microsoft security software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior

Installation

TrojanDownloader:MSIL/Truado.C  arrives on your computer as a download from a malicious website. It uses the file name AdobeUpdater.exe to trick you into downloading and running it.

Once installed it uses an AdobeFlash icon to trick you into thinking it is a legitimate file and running it:

 

When run, the trojan shows the following dialog box to make itself look like an Adobe update:

In the background, the trojan copies itself as %APPDATA%/startme.exe.

 

The trojan creates the following registry entry to ensure that it runs each time you start your computer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Adobe Updater
With data: "%APPDATA%/startme.exe"

Payload

Downloads other malware

Once installed on your computer the trojan makes an HTTP request to cdn.videowatchs.us/<removed>/check2.txt.

The server gives the trojan instructions to download other malware, which we detect as TrojanDropper:MSIL/Mevcadif.A.

TrojanDropper:MSIL/Mevcadif.A also installs other malware.

Analysis by Swapnil Bhalode 


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

%APPDATA%/ startme.exe  

  • The presence of the following registry modifications:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Adobe Updater
With data: "%APPDATA%/startme.exe"

 

Prevention


Alert level: Severe
First detected by definition: 1.151.380.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 18, 2013
This entry was first published on: May 18, 2013
This entry was updated on: Oct 07, 2013

This threat is also detected as:
  • Trojan-Ransom.Win32.Blocker.bfgk (Kaspersky)
  • winpe/Suspicious_Gen5.YSWO (Norman)
  • Trojan horse Downloader.MSIL.KC (AVG)
  • TR/Strictor.23182.16 (Avira)
  • Gen:Variant.Strictor.23182 (BitDefender)
  • Trojan.DownLoader9.15904 (Dr.Web)
  • MSIL/TrojanDownloader.Agent.IB trojan (ESET)
  • W32/Blocker.BFGK!tr (Fortinet)
  • Win32.SuspectCrc (Ikarus)
  • Trojan-Ransom.Win32.Blocker.bfgk (Kaspersky)