Follow:

 

TrojanDropper:Win32/Ilomo


TrojanDropper:Win32/Ilomo is a trojan that drops another malware, detected as Trojan:Win32/Ilomo.gen!A, in the system. In the wild, this trojan has been observed to be installed by Javascript malware, such as Exploit:JS/Mult.K.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDropper:Win32/Ilomo is a trojan that drops another malware in the system. In the wild, this trojan has been observed to be installed by Javascript malware, such as Exploit:JS/Mult.K.
Payload
Drops Other Malware
Upon execution, TrojanDropper:Win32/Ilomo drops Trojan:Win32/Ilomo.gen!A. into the user's Application Data folder using one of the following file names:
 
dumpreport.exe
msiexeca.exe
svchosts.exe
upnpsvc.exe
service.exe
taskmon.exe
rundll.exe
helper.exe
event.exe
logon.exe
sound.exe
lsas.exe
 
Note that these file names are similar to the file names used by legitimate system processes (such as 'lsass.exe', 'svchost.exe', and 'services.exe').
 
It also modifies the system registry so that its dropped malware automatically runs every time Windows starts:
 
Adds value: "<value>"
With data: "%AppData%\<malware name>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
where <malware name> is one of the above possible file names and <value> is one of the following:
 
CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init
 
It then runs its dropped malware, Trojan:Win32/Ilomo.gen!A.
 
Analysis by Matt McCormack

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
 
Because TrojanDropper:Win32/Ilomo may arrive with other associated threats, the presence of Exploit:JS/Mult.K or Trojan:Win32/Ilomo.gen!A may also be symptoms of this threat.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.89.812.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Mar 03, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Ilomo.BA (CA)
  • Trojan.Win32.Agent2.ekk (Kaspersky)
  • Trojan.Clampi (Symantec)