Follow:

You have been re-routed to the Trojan:Win32/Estiwir.A write up because Trojan%3aWin32%2fEstiwir.A has been renamed to Trojan:Win32/Estiwir.A
 

Trojan:Win32/Estiwir.A


Microsoft security software detects and removes this threat.

This trojan downloads other malware onto your computer and can stop some programs or applications from working correctly. 

It is downloaded onto your computer by other malware, including PWS:Win32/OnLineGames.AH and PWS:Win32/Lolyda.BF.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

This threat may download other malware that can steal your information by recording usernames and passwords. After you remove this threat it is a good idea to change your passwords.

The following page has tips on how to create and use strong passwords:

Threat behavior

Installation

Trojan:Win32/Estiwir.A  arrives on your computer as a .DLL file. It is downloaded by other trojans, including PWS:Win32/OnLineGames.AH and PWS:Win32/Lolyda.BF.

It is installed in the <system folder> as Midimap.dll, replacing the legitimate Midimap.dll file.

Payload

Downloads other malware    
   
When run, Trojan:Win32/Estiwir.A is injected to Explorer.exe. It then downloads and runs other malware, including PWS:Win32/OnLineGames.AH.  
   
The downloaded malware files are saved and run in the %TEMP% folder with the filename <10 numbers>.exe, for example: 7223939032.exe.

In the wild, we had seen additional malware downloaded from the following URLS:

  • blue.iaevkw.com/<removed>/sheet3.rar
  • blue.ixcylp.com/<removed>/sheet3.rar
  • now.eyrzaz.com/<removed>/witer3.rar
  • now.toilez.com/<removed>/witer3.rar
  • pler.znfzvd.com/<removed>/witer3.rar
  • pler.zrjqgg.com/<removed>/witer3.rar
  • zip.hvtmcb.com/<removed>/witer3.rar
  • zip.kairwu.com/<removed>/witer3.rar
  • zip.ndksgu.com/<removed>/witer3.rar
  • zip.nnmyuk.com/<removed>/witer3.rar
  • zip.ogagud.com/<removed>/witer3.rar
  • zip.ojpbvw.com/<removed>/witer3.rar
  • zip.qsmoeu.com/<removed>/witer3.rar
  • zip.rwzuok.com/<removed>/witer3.rar
The downloaded malware is detected as PWS:Win32/OnLineGames.AH.    

Stops service and deletes files

We have seenTrojan:Win32/Estiwir.A stop the following services:

  • EstRtwIFDrv
  • v3engine

The trojan deletes the <system folder>\drivers\EstRtw.sys. This file is related to the EstRtwIFDrv service.

These services are related to AhnLab security software and an ESTsoft Corp application. It likely stops these services to prevent detection.

Analysis by Ric Robielos


Symptoms

The presence of this malware may stop AhnLab security software or ESTsoft Corp applications from working correctly.

Prevention


Alert level: Severe
First detected by definition: 1.143.1597.0
Latest detected by definition: 1.185.1239.0 and higher
First detected on: Feb 05, 2013
This entry was first published on: Feb 05, 2013
This entry was updated on: Jul 24, 2013

This threat is also detected as:
  • Win-Trojan/Agent.42496.US (AhnLab)
  • W32/OnlineGames.IS.gen!Eldorado (Command)
  • Trojan.Win32.Mixil.f (Kaspersky)
  • winpe/Suspicious_Gen4.CFUOV (Norman)
  • Win32/DH.FF85019D{Mw} (AVG)
  • TR/Spy.Browser.1894 (Avira)
  • Gen:Trojan.Heur.bi5@ID6llpi (BitDefender)
  • Trojan.Siggen4.56382 (Dr.Web)
  • Win32/TrojanDownloader.Agent.RRX trojan (ESET)
  • Packer.Malware.NSAnti (Ikarus)
  • Generic.atg-FAXG!39BB69F46394 (McAfee)
  • Trojan.PSW.OnlineGames!4D9C (Rising AV)