Home / malware Trojan:Win32/Ilomo.C
First posted on 14 July 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Ilomo.C is also known as Also Known As:Trojan.Clampi (Symantec).
Explanation :
Trojan:Win32/Ilomo.C is a trojan that may arrive in a system by being dropped by another malware. It injects code into an Internet Explorer process and connects to various Web sites, possibly to download other malware components.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Trojan:Win32/Ilomo.C is a trojan that may arrive in a system by being dropped by another malware. It injects code into an Internet Explorer process and connects to various Web sites, possibly to download other malware components.
Installation
This trojan may be installed by other malware and may be present in the %APPDATA% folder as one of the following file names: %APPDATA%dumpreport.exe
%APPDATA%msiexeca.exe
%APPDATA%svchosts.exe
%APPDATA%upnpsvc.exe
%APPDATA%service.exe
%APPDATA% askmon.exe
%APPDATA%
undll.exe
%APPDATA%helper.exe
%APPDATA%event.exe
%APPDATA%logon.exe
%APPDATA%sound.exe
%APPDATA%lsas.exe Note that these file names are similar to the file names used by legitimate system processes (such as 'lsass.exe', 'svchost.exe', and 'services.exe'). The registry may be modified to execute Trojan:Win32/Ilomo.C at each Windows start. Adds value: "<value>"
With data: "%APPDATA%<malware name>"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun where <malware name> is one of the above possible file names and <value> is one of the following: CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init
Payload
Connects to Web sitesTrojan:Win32/Ilomo.C launches 'iexplore.exe' and injects code to this process. It may connect to various Web sites, such as the following, to download additional malware components:webmail.re-factoring.cn secure.loderunner.in pop3.re-factoring.cn try.mojitoboom.in direct.matchbox.vc
Analysis by Dan KurcLast update 14 July 2009