You might get this threat in your PC as a Word document attachment to a spammed email, or shared via social media.
One variant we observed being distributed in the wild in late December 2010 opens a non-malicious Word document (seen below) after doing its malicious paylod.
The message is Russian and translates as:
Dear colleagues and friends!
Happy New Year!
Downloads and runs other malware
Some variants contain a payload to download and run other malware on your PC. One such variant connected to mywindowsupdate.net/****/svchost.exe and saved the targeted file to <system folder>\a.exe. This file is detected as Trojan:Win32/Turkojan.C.
Drops and installs other malware
Some variants contain a payload to drop and run other malware on your PC. One such variant dropped the file <system folder>\<system folder>\ mspmsnsr.dll\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90. This file is detected as TrojanDropper:Win32/Meciv.A.
In turn, this file drops another service DLL component to <system folder>\wucltul.dll. This file is detected as Backdoor:Win32/Meciv.A.
Analysis by Rodel Finones
The following could indicate that you have this threat on your PC:
- You might receive a Word document that looks like this: