Home / malware TrojanDropper:Win32/Broonject.B
First posted on 03 February 2012.
Source: MicrosoftAliases :
TrojanDropper:Win32/Broonject.B is also known as Trojan.DownLoad2.39716 (Dr.Web).
Explanation :
TrojanDropper:Win32/Broonject.B is a trojan that installs TrojanSpy:Win32/Broonject.B, a trojan that communicates with certain remote servers. TrojanDropper:Win32/Broonject.B may be installed when opening a malicious PDF file that exploits an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat, described in CVE-2011-2462. The malicious PDF may be identified as Exploit:Win32/Pdfjsc.Y and Exploit:Win32/CVE-2011-2462.
Top
TrojanDropper:Win32/Broonject.B is a trojan that installs TrojanSpy:Win32/Broonject.B, a trojan that communicates with certain remote servers.
Installation
TrojanDropper:Win32/Broonject.B may be installed when opening a malicious PDF file that exploits an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat, described in CVE-2011-2462. The malicious PDF may be identified as Exploit:Win32/Pdfjsc.Y and Exploit:Win32/CVE-2011-2462.
When the PDF exploit is opened using a vulnerable version of Acrobat Reader, the JavaScript shellcode executes a heap-spray function to exploit the vulnerability, resulting in the malware dropping an executable file detected as TrojanDropper:Win32/Broonject.B. for example:
- <system folder>\client.exe
When this trojan dropper is run, it installs TrojanSpy:Win32/Broonject.B by dropping the following files:
- <system folder>\< file name>d.dll - TrojanSpy:Win32/Broonject.B
- <system folder>\< file name>d.exe - TrojanSpy:Win32/Broonject.B
Where <file name> was observed to "wincfg" or "userdom" (e.g. "userdomd.exe").
TrojanDropper:Win32/Broonject.B launches a hidden instance of Internet Explorer and injects the dropped file DLL component (for example, "userdomd.dll") into that process.
Payload
Communicates with a remote host
TrojanDropper:Win32/Broonject.B attempts to connect with one of the following remote servers:
Additional information
- 66.<removed>.132.11
- reg<removed>.puzzleofworld.com
- inf<removed>.puzzleofworld.com
- dat<removed>.puzzleofworld.com
TrojanDropper:Win32/Broonject.B creates the following registry data.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Sets value: "SMJW"
With data: "<system folder>\client.exe"
For more information about TrojanSpy:Win32/Broonject.B, see the description elsewhere in the encyclopedia.
Analysis by Wei Li
Last update 03 February 2012
