Home / malwarePDF  

TrojanDropper:Win32/Broonject.A


First posted on 31 January 2012.
Source: Microsoft

Aliases :

TrojanDropper:Win32/Broonject.A is also known as Gen.Win32.ExplorerHijack (Ikarus), Trojan.Win32.Sasfis.crxz (Kaspersky).

Explanation :

TrojanDropper:Win32/Broonject.A is a trojan that installs TrojanSpy:Win32/Broonject.A, a trojan that communicates with a remote server with an IP address 216.45.58.30. TrojanDropper:Win32/Broonject.A may be installed when opening a malicious PDF file that exploits an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat, described in CVE-2011-2462. The malicious PDF may be identified as Exploit:Win32/Pdfjsc.Y and Exploit:Win32/CVE-2011-2462.


Top

TrojanDropper:Win32/Broonject.A is a trojan that installs TrojanSpy:Win32/Broonject.A, a trojan that communicates with a remote server with an IP address 216.45.58.30.



Installation

TrojanDropper:Win32/Broonject.A may be installed when opening a malicious PDF file that exploits an unspecified vulnerability in the U3D component in Adobe Reader and Acrobat, described in CVE-2011-2462. The malicious PDF, identified as Exploit:Win32/Pdfjsc.Y, contains an exploitable U3D object, detected as Exploit:Win32/CVE-2011-2462 and a malicious JavaScript shellcode.

When the PDF exploit is opened using a vulnerable version of Acrobat Reader, the JavaScript shellcode executes a heap-spray function to exploit the vulnerability, resulting in the malware dropping an executable file named "scvhost.exe" and detected as TrojanDropper:Win32/Broonject.A. When this trojan dropper is run, it installs TrojanSpy:Win32/Broonject.A by dropping the following files:

  • <system folder>\zine.dll - TrojanSpy:Win32/Broonject.A
  • <system folder>\zico.exe - TrojanSpy:Win32/Broonject.A
  • <system folder>\cha.exe €“ TrojanSpy:Win32/Broonject.A


TrojanDropper:Win32/Broonject.A launches a hidden instance of Internet Explorer and injects the dropped file "zine.dll" into that process.



Payload

Communicates with a remote host
TrojanDropper:Win32/Broonject.A attempts to connect with a remote server with an IP address of 216.45.58.30.

Additional information

For more information about TrojanSpy:Win32/Broonject.A, see the description elsewhere in the encyclopedia.



Analysis by Wei Li

Last update 31 January 2012

 

TOP

Malware :

Family: