Threat behavior
TrojanDownloader:Win32/Harnig.gen!L is a generic detection for a trojan family that downloads and executes arbitrary files, including updates for itself.
Installation
This detection is broad and covers several variants of this large trojan family. Installation methods used by trojans detected with this name differ from variant to variant. However, trojans detected with this name may exhibit the following behaviors:
- May drop several executables with a .PHP file extension into the Internet Explorer cache folder, as in the following examples:
exherboyv[1].php
hgmslsbl[1].php
ntnnk[1].php - May drop several executables into the root of the local drive, such as C:\, as in the following example file names:
wcfto.exe
msccsxm.exe
nfmtjx.exe - May attempt to delete itself via cmd.exe
- May execute all of the dropped files under C:\
Payload
Downloads and Executes Arbitrary Files
TrojanDownloader:Win32/Harnig.gen!L may attempt to download a new version of the various dropped "PHP" executables, by contacting remote web sites.
Analysis by Neno Lakinski
Prevention
