Home / malware Trojan.Loader.N
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Loader.N is also known as Trojan.Kobcka, Trojan-Downloader.Win32.Mutant, TrojanDownloader:Win32/Cutwail, Trojan.Pandex, Win32/Wigon.
Explanation :
The virus acts like a loader for an encrypted PE file contained in the virus body. After the payload has been decrypted, the control of the program is passed to the contained executable.
After executed, the virus adds the registry value in order to run at every system start-up:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun = "advap32"
This contained malware file is detected as Trojan.Kobcka.DO and acts like a downloader. The malware tries several urls:
75.126.22.226 (citycentre2.dk)
75.125.207.50 (server.microlite18.com)
75.125.207.82 (server.host53.com)
208.66.195.71
208.66.194.236
using the HTTP 80 port, and downloads several other malware files known as:
Trojan.Kobcka.DT
Trojan.Downloader.Agent.ZJA.
These are stored as: "%Temp%BN[random_digit].tmp", are executed and download other malware, as well.
The downloaded files are components of a SPAM bot trojan designed to launch massive SPAM attacks from the compromised system.Last update 21 November 2011