Home / malware TrojanDownloader:W97M/Orgen.A
First posted on 18 November 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:W97M/Orgen.A.
Explanation :
Threat behavior
Installation
This threat usually arrives on your PC as a Microsoft Office file attached to a spam email. We have seen this threat using a Microsoft Word (.doc) file.
When you open the malicious file, Microsoft Word should show you a security notification to ask whether you want to enable macros. If you enable macros, this threat will run. We have also seen this threat use social engineering to try and convince you to enable macros, as shown in the example below:
Payload
Downloads and runs files
When the malicious document is opened and macros are enabled this threat can download and run files onto your PC.
We have seen it connect to the following websites:
- kilomenter.com/
.exe - wellingten.de/images/
.exe - moviebernie1996.ru/
.exe
These websites were unavailable at the time of analysis.
The downloaded files can be saved and run from the following locations:
- %APPDATA% \fdg.scr
- %APPDATA% \fdg.scr
- C:\GHJCJ.ScR
- C:\dg34g.scr
Analysis by Jonathan San Jose
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
kilomenter.com/.exe
wellingten.de/images/.exe
moviebernie1996.ru/.exe Last update 18 November 2014
