When Trojan:Win32/Clort.A is executed, it creates a mutex named ‘2008-MS08-067_TEST’ and exits if it already exists. This trojan connects to a remote site to retrieve target information, or IP address range data for the trojan to attack. The data is retrieved from the domain address 'gsinvest.gov.cn/*******/VoteModiy.asp'.
Next, Win32/Clort.A executes %TEMP%\svchost.exe, attacking IP addresses provided by text from the page 'VoteModify.asp'. It tries to connect to port 139, and if successful, launches
If a target computer is exploited, Win32/Clort.A!exploit executes shell code that instructs the target to download TrojanDownloader:Win32/VB.CJ from the domain 'dabao8.net' as a file named 'cc.exe'. The downloaded trojan is then run.
Win32/VB.CJ is a trojan that downloads other malware. When run, it attempts to download TrojanDownloader:Win32/VB.CQ from the domain 'nowbt.net' as a file named 'cpa.exe'.
After TrojanDownloader:Win32/VB.CQ is downloaded it is run. It attempts to connect to the Web address 'cpa123.cn' and downloads adware.