Threat behavior
TrojanDropper:Win32/Mader.gen!B is a trojan dropper that drops and installs files currently detected as VirTool:WinNT/Mader.E. It sends reports at regular intervals to a certain website and downloads arbitrary files.
Installation
TrojanDropper:Win32/Mader.gen!B drops the following files in an infected system:
- %Temp%\tni<random characters>.tmp - detected as VirTool:WinNT/Mader.E
- <system folder>\<random name>.sys - detected as VirTool:WinNT/Mader.E
- <system folder>\core.cache.dsk
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The dropped files serve to hide this trojan from being detected in the system.
Mader.gen!B also injects malicious code in "explorer.exe", making it harder for the malware process to be terminated.
Payload
Downloads Arbitrary Files
TrojanDropper:Win32/Mader.gen!B connects to the website "in-t-e-r-n-e-t.com" to receive instructions for file downloads. It also sends information about its dropped files and the infected system to this website.
Analysis by Dan Nicolescu
Prevention
