Trojan:Win32/Chymine.A is a trojan that drops a keylogging malware detected as TrojanSpy:Win32/Chymine.A
. It consists of several components: an .EXE component and a .DLL component. It may be launched and installed by Exploit:Win32/CplLnk.A
Trojan:Win32/Chymine.A may arrive in the computer as a .DLL file that is launched and installed by other malware, such as Exploit:Win32/CplLnk.A. It may arrive with the following file name:
It downloads the following file:
bin.exe - also detected as Trojan:Win32/Chymine.A
It downloads this file from the following IP address:
The downloaded file is saved as the following:
The downloaded file is then executed.
Drops other malware
Trojan:Win32/Chymine.A drops a .DLL component as the following:
This .DLL component may register itself as a system service that is loaded by the legitimate Windows process "svchost.exe". It may also inject code into other system processes, such as "winlogon.exe".
The .DLL component of Trojan:Win32/Chymine.A is capable of performing the following malicious action:
Trojan:Win32/Chymine.A copies the following legitimate Windows file to a different location:
<system folder>\rundll32.exe -> %Temp%\..\<random file name>.exe (for example, "BB062E.exe")
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Analysis by Tim Liu