Home / malware Trojan:Win32/Mojap.A
First posted on 12 June 2013.
Source: MicrosoftAliases :
Trojan:Win32/Mojap.A is also known as Trojan.Win32.Mojap (Ikarus).
Explanation :
Installation
When run, the trojan copies the original system files cmd.exe and advapi32.dll as follows:
It may be copying these files to enable payloads for other malware that could be downloaded or installed alongside this trojan.
- <system folder>\cmd.exe is copied to %APPDATA%\umdsv.exe
- <system folder>\advapi32.dll is copied to %TEMP%\adv.dll
Payload
Sends information to a remote server
The trojan gathers the following information about your computer:
- The name of your computer
- Your user name
- Your IP address
- Information about your operating system, including the type, version, and language
- Information about your hard disk(s)
- Information about the speed of your CPU
It sends this information to the following remote server using HTTP POST:
nolimit.japmobi.com:8080
HTTP POST is a type of basic Internet communication between your computer and a website.
The server may send information back to the trojan on your computer, where it saves the information into your temporary internet files folder as the file yeah.htm. By default, this folder is located at %USERPROFILE%\Local Settings\Temporary Internet Files.
Depending on the reply from the server, this trojan might:
Additional information
- List all the files in your computer
- Save files in your computer
- Get information about your disk drives, for example, what type of hard disk is it, and how much free space remains
- Run commands
The trojan creates a mutex named "20111013##", which it uses as an infection marker to ensure that only one copy of the trojan is running on your computer at any one time.
Analysis by Ric Robielos
Last update 12 June 2013
