is a trojan that can download other malware and record the user's keystrokes. It consists of several components: an .EXE component and a .DLL component. It may be installed by Exploit:Win32/CplLnk.A
TrojanDownloader:Win32/Chymine.A may be installed in the computer by other malware, such as Exploit:Win32/CplLnk.A.
Upon execution, it checks if its file name is "explorer.exe". If this is not the case, it terminates itself.
It downloads the following file:
bin.exe - also detected as TrojanDownloader:Win32/Chymine.A
It downloads this file from the following IP address:
The downloaded file is saved as the following:
The downloaded file is then executed.
It drops a .DLL component as the following:
%Temp%\..\<six random characters>.dll (for example, "BB062E.dll") - also detected as TrojanDownloader:Win32/Chymine.A
This .DLL component may register itself as a system service that is loaded by the legitimate Windows process "svchost.exe". It may also inject code into other system processes, such as "winlogon.exe".
The .DLL component of TrojanDownloader:Win32/Chymine.A is capable of performing the following malicious actions:
Download other malware
TrojanDownloader:Win32/Chymine.A copies the following legitimate Windows file to a different location:
<system folder>\rundll32.exe -> %Temp%\..\<six random characters>.exe (for example, "BB062E.exe")
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Analysis by Tim Liu
The following system changes may indicate the presence of this malware: