Home / malware Trojan.Generic.2581209
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Generic.2581209 is also known as Glecia, Krap.
Explanation :
The malware is distributed in a zip archive attached to an e-mail which claims to be from "DHL express services".
Glecia cannot propagate itself, so it needs a third party to send the spam.
An e-mail sample follows:
Subject: DHL Express Services. Please get your parcel NR.56449
Headers:
From: "****" <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449
Body:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Thank you for attention.
DHL Services.
Attachments:
DHL_print_label_582b9.zip (16.23KB)
The archive contains a packed executable which drops a BHO to %SYSTEM%hdvgtueyitf.dll and registers it as "Microsoft Online Helper!" or "Google Accelerator!" with CLSID {CEE2864E-1144-4B8F-9A43-4CEAC4553560}.
When done, the dropper creates and runs a batch file called sys.bat in order to delete itself.
The BHO is a backdoor that can be used by the attacker to take control over the infected computer.Last update 21 November 2011