Threat behavior
TrojanDownloader:Win32/Monkif.O is a trojan that downloads other malware. It arrives as a DLL file that may be dropped and loaded by other Win32/Monkif variants.
Installation
TrojanDownloader:Win32/Monkif.O may arrive in the computer using different file names such as the following:
batmeter16.dll
default32.dll
mark_32.dll
It may be dropped and loaded by other Win32/Monkif variants.
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Monkif.O downloads malware from predefined Web sites, such as the following:
clicksend.biz
clickspot.biz
The downloaded file is then executed in the infected computer.
Terminates security-related processes
Some variants of TrojanDownloader:Win32/Monkif.O may look for the following running processes, normally associated with antivirus and firewall software, and attempt to terminate them:
acaas.exe
acaegmr.exe
acais.exe
acals.exe
acasp.exe
afmain.exe
ahnsd.exe
ahnsdsv.exe
almon.exe
alsvc.exe
aluschedulersvc.exe
apvxdwin.exe
ashdisp.exe
ashmaisv.exe
ashserv.exe
ashwebsv.exe
aswupdsv.exe
avengine.exe
avesvc.exe
avgam.exe
avgamsvr.exe
avgas.exe
avgcc.exe
avgemc.exe
avgfws8.exe
avgnsx.exe
avgnt.exe
avgrsx.exe
avgtray.exe
avguard.exe
avgupsvc.exe
avgwdsvc.exe
avgwsvc.exe
avkproxy.exe
avkservice.exe
avktray.exe
avkwctl.exe
avmailc.exe
avp.exe
avpmapp.exe
avwebgrd.exe
bdagent.exe
bdtupdateservice.exe
caavguiscan.exe
caglobal.exe
cagloballight.exe
capfasem.exe
cappactiveprotection.exe
cavrid.exe
ccenter.exe
cclaw.exe
ccprovsp.exe
ccsvchst.exe
cctray.exe
cfgmng32.exe
consctl.exe
counterspy.exe
drwebscd.exe
dvpapi.exe
egui.exe
ekrn.exe
elogsvc.exe
emlproui.exe
emlproxy.exe
escanmon.exe
fameh32.exe
fch32.exe
formcomsvr
fpavserver.exe
fprottray.exe
fsaua.exe
fsav32.exe
fsavgui.exe
fsdfwd.exe
fsgk32st.exe
fsguidll.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fsqh.exe
fssm32.exe
fsus.exe
gdfirewalltray.exe
gdfwsvc.exe
guard.exe
guardxkickoff.exe
guardxservice.exe
guardxup.exe
hfacsvc.exe
hpcsvc.exe
hrres.exe
hsvcmod.exe
iface.exe
isafe.exe
itmrtsvc.exe
k7emlpxy.exe
k7fwsrvc.exe
k7pssrvc.exe
k7rtscan.exe
k7sysmon.exe
k7systry.exe
k7tsecurity.exe
k7tsmngr.exe
livesrv.exe
mantispm.exe
mcagent.exe
mcmscsvc.exe
mcnasvc.exe
mcproxy.exe
mcsacore.exe
mcshield.exe
mcsysmon.exe
mcupdmgr.exe
mcvsmap.exe
mcvsshld.exe
mdmcls32.exe
monitor.exe
mpfsrv.exe
msfwsvc.exe
msksrver.exe
msproxy.ahn
mwagent.exe
mwaser.exe
nip.exe
njeeves.exe
npcsvc32.exe
npfsvc32.exe
nprosec.exe
nsesvc.exe
nuaa.exe
nvcoas.exe
nvcsched.exe
nvoy.exe
ochealthmon.exe
onlinent.exe
onlnsvc.exe
pavbckpt.exe
pavfnsvr.exe
pavprsrv.exe
pavsrv51.exe
pctsauxs.exe
pctssvc.exe
pctstray.exe
ppctlpriv.exe
prevx.exe
psctrls.exe
pshost.exe
psksvc.exe
pslmsvc.exe
pxagent.exe
pxconsole.exe
qhfw.exe
qoeloader.exe
quhlpsvc.exe
ravmon.exe
ravmond.exe
rsnetsvr.exe
rstray.exe
scanfrm.exe
sched.exe
seccenter.exe
sfctlcom.exe
spiderml.exe
spidernt.exe
spiderui.exe
spysweeper.exe
spysweeperui.exe
ssu.exe
svcprs32.exe
syssvcnt.exe
tfservice.exe
thav.exe
thd32.exe
thsm.exe
tmbmsrv.exe
tmpfw.exe
tmproxy.exe
tpsrv.exe
trayicos.exe
traysser.exe
tscfplat
ufseagnt.exe
ufupdui.exe
uiscan.exe
umxagent.exe
umxcfg.exe
umxfwhlp.exe
umxpol.exe
upschd.exe
vba32ldr.exe
vbcmserv.exe
vbsystry.exe
vetmsg.exe
virusutilities.exe
vmacthlp.exe
vmwareservice.exe
vmwaretray.exe
vmwareuser.exe
vrfwsock.exe
vrfwsvc.exe
vrmonnt.exe
vrmonsvc.exe
vrrepair.exe
vsmon.exe
vsserv.exe
webproxy.exe
winss.exe
winssnotify.exe
winssui.exe
wrconsumerservice.exe
xcommsvr.exe
zanda.exe
zlclient.exe
Analysis by Elda Dimakiling
Prevention
