Follow:

 

TrojanDownloader:Win32/Dalexis.A


Microsoft security software detects and removes this threat.

This threat can download and run files on your PC, including other malware.

It can be installed when you open a spam email attachment.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat can be downloaded when you open a spam email attachment. We have seen the attachment use the following file names:

  • economizers_2014-09-22-10-15-42_63357391537.arj
  • item_2014-09-02_12-59-15_90936603418.arj
  • item_2014-09-03_10-01-56_96088208293.arj
  • order_2014-08-27_11-30-20_92103382498.zip
  • pronouncing_2014-09-15_14-59-20_QN9H3J.arj
  • pronouncing_218826814281517_8TQZ161.rar
  • sale_2014-08-27_10-59-26_96881014023.zip
  • sale_2014-09-02_14-45-02_32594437599.arj
  • statement_622653241052904_5T38CL3.rar 

When you open the attachment the malware runs. It installs the following file onto your PC:

  • %TEMP% \temp_cab_<random file name>.cab, for example  %TEMP%\temp_cab_293703.cab

The malware also shows you an image similar to the following: 

 

Payload

Downloads updates and other malware

The malware checks for an internet connection by connecting to clean website such as windowsupdate.microsoft.com. It then connects to hardcoded remote host to download other malware, for example:

  • Alphatop.fr/graph/<removed>.tar.gz
  • carhiresoft.com/img/<removed>.tar.gz  
  • creapoint.ch/stats/<removed>.tar.gz      
  • lemasdepouzoulou.com/cmsms/doc/<removed>.tar.gz
  • le-rucher-de-la-grocha.fr/images/<removed>.tar.gz
  • salvatoreguadagno.com/_ss/<removed>.tar.gz      

We have seen this threat download updates as well as other threats from the following malware families:

Analysis by Patrick Estavillo

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
     
    %TEMP%\temp_cab_<random file name>.cab, for example%TEMP%\temp_cab_293703.cab.
  • You see this image on your PC:
     

Prevention


Alert level: Severe
First detected by definition: 1.179.270.0
Latest detected by definition: 1.191.1112.0 and higher
First detected on: Jul 17, 2014
This entry was first published on: Jul 17, 2014
This entry was updated on: Nov 26, 2014

This threat is also detected as:
  • Downloader-FSH!19D184CAB398 (McAfee)
  • TR/Crypt.Xpack.68602 (Avira)
  • Troj/ZBot-IJN (Sophos)
  • Trojan.Win32.Agentb.apry (Kaspersky)
  • W32/Kryptik.CCYJ!tr (Fortinet)
  • W32/Trojan.ZDLA-4448 (Command)