is a trojan that contacts a remote host in order to download and execute arbitrary files, and send information about the infected computer. It may also disable security settings.
This trojan may be distributed via spam email, either directly as a password-protected .zip attachment, or indirectly via a link to a remote copy of the trojan. It may arrive as an attachment on spam emails containing any of the following messages:
From: "DHL MANAGER 692" <<removed>@dhl.com>
Subject: DHL id. 3190264
Dear Consumer , Delivery Confirmation: FAILED
Print out the invoice copy attached and collect the package at our department
With best regards , DHL .com Customer Services
Subject: Response to my letter, I implore you. I can not do without you.
You are currently registered as: lonelywivesdatingclub <dot> com
- Age: 22
- Neme: Evon
- Seeking: A Male. Group 23-47
- Status: ONLINE
- Service: lonelywivesdatingclub. com 2900 Girls Currently Online
- Fotos: 8 fotos in attached file.
- Title: "Christina's Profile
Well i love going to amusment parks i love puppys and i have no kids but want some i dont smoke or drink i love to party and i USED to dance exotic. "
From: "MC MANAGER 57" <manager<removed>@mastercard.com>
Subject: Your credit card has been blocked
Your credit card has been blocked!
With your credit card was removed $ 3718,0
Possibly illegal operation!
More information in the attached file.
Immediately contact your bank .
MASTER CARD Services.
As part of its installation process, the trojan also injects its code into the legitimate svchost.exe; the injected code will continue to run (download routine) while the code injector (setup routine) will terminate.
Downloads and executes arbitrary files
may connect to a remote server in order to download and execute additional files.
Contacts remote hosts
The trojan may contact a remote host at 18.104.22.168 via HTTP POST in order to send the following information about the infected computer:
- Operating system version information
- Terminal service configuration
- Software restriction policies
- System and desktop configuration
- Network domain and computer name
- Internet Explorer configuration
- List of print jobs in target printers
- Hardware profile for the local computer
- Geographical location of the user
Allows backdoor access and control
can send an HTTP POST request to a remote server, and execute a server-side PHP script, which allows the remote attacker full access and control over the infected computer.
Terminates security processes
The trojan checks for the presence of security software WIRESHARK.EXE, and if found, will terminate this process.
Analysis by Zarestel Ferrer