Home / malwarePDF  

TrojanDropper:Win32/Rochap.C


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDropper:Win32/Rochap.C.

Explanation :

TrojanDropper:Win32/Rochap.C is a trojan that connects to a certain Web site to download another malware, which is detected as Trojan:Win32/Rochap.A. While downloading the file, it launches the default Web browser and displays a video from youtube.com, presumably to distract the affected user.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

TrojanDropper:Win32/Rochap.C is a trojan that connects to a certain Web site to download another malware, which is detected as Trojan:Win32/Rochap.A. While downloading the file, it launches the default Web browser and displays a video from youtube.com, presumably to distract the affected user.

Installation
TrojanDropper:Win32/Rochap.C arrives in the system with the following icon, which is similar to Internet Explorer. It does this in an attempt to trick the user into thinking that it may be a component of Internet Explorer: When executed, TrojanDropper:Win32/Rochap.C drops and loads its DLL component, which is detected as TrojanDownloader:Win32/Rochap.C.

Payload
Downloads other malwareTrojanDownloader:Win32/Rochap.C!dll connects to the Web site www.orthodoxie-oostende.org to download and execute a file as <system folder>26346.exe. While downloading the file, it launches the default Web browser and displays a video from youtube.com, presumably to distract the affected user. This file is detected as Trojan:Win32/Rochap.A. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.

Analysis by Chun Feng

Last update 30 June 2009

 

TOP