Follow:

 

TrojanDownloader:Win32/Camec.A


TrojanDownloader:Win32/Camec.A is the downloader and installer component for other Win32/Camec.A malware. It disables User Account Control (UAC) and gathers information about the infected computer, which it sends back to a remote server.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Camec.A is the downloader and installer component for other Win32/Camec.A malware. It disables User Account Control (UAC) and gathers information about the infected computer, which it sends back to a remote server.
Installation
Upon execution, TrojanDownloader:Win32/Camec.A checks if it is running in a computer with the locale Portuguese-Brazil. If this is not the locale, it exits without performing its malicious routine.
Payload
Disables security settings
TrojanDownloader:Win32/Camec.A disables User Account Control (UAC) if the operating system of the computer is Windows Vista or Windows 7.
 
Gathers sensitive information
TrojanDownloader:Win32/Camec.A gathers the following sensitive information:
 
  • Computer name
  • Logged-in user name
  • Hard disk serial number
  • Operating system version
 
The gathered information is sent back to a remote server.
 
Downloads and installs other malware
TrojanDownloader:Win32/Camec.A downloads and installs two Browser Helper Objects (BHO) that are detected as other malware:
 
<system folder>\soundupkd.dll - detected as Trojan:Win32/Camec.A
<system folder>\shdoflash.dll - detected as TrojanSpy:Win32/Camec.A
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
Analysis by Marian Radu

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    <system folder>\soundupkd.dll
  • <system folder>\shdoflash.dll

Prevention


Alert level: Severe
First detected by definition: 1.89.660.0
Latest detected by definition: 1.97.286.0 and higher
First detected on: Aug 31, 2010
This entry was first published on: Aug 31, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-Downloader.Win32.VB.zzk (Kaspersky)
  • TR/Agent.19972 (Avira)