Variants of TrojanDownloader:Win32/Wintrim may be downloaded and run by software bundlers, such as SoftwareBundler:Win32/Lollipox and SoftwareBundler:Win32/Lollipos.
When run, the trojan downloader checks for the presence of security software on your PC (in the wild, we have observed it checking for the presence of Avast security software). Depending on whether you have security software installed and running or not, the trojan will download and run an executable file from the following URL:
The trojan downloader saves the file as Lollipop.exe into the %TEMP% folder, and then moves the file to the %LOCALAPPDATA% folder. The file is detected as a variant of the Trojan:Win32/Wintrim family of trojans that display pop-up ads in certain search engines.
Analysis by Geoff McDonald
The following could indicate that you have this threat on your PC
- The appearance of pop-up ads, particularly ones that are pornographic in nature, or being redirected to search results you did not intend to visit
- The presence of the following file: