Follow:

 

TrojanDownloader:Win32/Chymine.A


TrojanDownloader:Win32/Chymine.A is a trojan that can download other malware and record the user's keystrokes. It consists of several components: an .EXE component and a .DLL component. It may be installed by Exploit:Win32/CplLnk.A.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanDownloader:Win32/Chymine.A is a trojan that can download other malware and record the user's keystrokes. It consists of several components: an .EXE component and a .DLL component. It may be installed by Exploit:Win32/CplLnk.A.
Installation
TrojanDownloader:Win32/Chymine.A may be installed in the computer by other malware, such as Exploit:Win32/CplLnk.A.
 
Upon execution, it checks if its file name is "explorer.exe". If this is not the case, it terminates itself.
 
It downloads the following file:
 
  • bin.exe - also detected as TrojanDownloader:Win32/Chymine.A
 
It downloads this file from the following IP address:
 
  • 205.209.171.119
 
The downloaded file is saved as the following:
 
  • %APPDATA%\conime.exe
 
The downloaded file is then executed. It drops a .DLL component as the following:
 
  • %Temp%\..\<six random characters>.dll (for example, "BB062E.dll") - also detected as TrojanDownloader:Win32/Chymine.A
 
This .DLL component may register itself as a system service that is loaded by the legitimate Windows process "svchost.exe". It may also inject code into other system processes, such as "winlogon.exe".
Payload
The .DLL component of TrojanDownloader:Win32/Chymine.A is capable of performing the following malicious actions:
 
  • Record keystrokes
  • Download other malware
Additional information
TrojanDownloader:Win32/Chymine.A copies the following legitimate Windows file to a different location:
 
  • <system folder>\rundll32.exe -> %Temp%\..\<six random characters>.exe (for example, "BB062E.exe")
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
Analysis by Tim Liu

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %APPDATA%\conime.exe
    BB062E.dll
    BB062E.exe

Prevention


Alert level: Severe
This entry was first published on: Jul 23, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases