Home / malware Trojan:Win32/Merdirt.A
First posted on 09 October 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Merdirt.A is also known as Trojan.Merdirt.A (VirusBuster), Trojan.Win32.Merdirt (Ikarus).
Explanation :
Trojan:Win32/Merdirt.A is a malicious BHO file that usually comes bundled, and is installed with, a free plugin.
Top
Trojan:Win32/Merdirt.A is a malicious BHO file that usually comes bundled, and is installed with, a free plugin. Installation When executed, Trojan:Win32/Merdirt.A drops the following files:%AppData%\LocalLow\Micronoft\redir.dll - copy of itself <system folder>\detoured.dll - clean file that it needs for its malicious routines Trojan:Win32/Merdirt.A registers its copy as a Browser Helper Object (BHO) that loads every time the browser starts by creating the following registry entries: In subkey: HKCR\AppID\redir.DLL Sets value: "AppID" With data: "{41879496-CED4-4858-B937-9107DFD96B65}" In subkey: HKCR\AppID\{41879496-CED4-4858-B937-9107DFD96B65} Sets value: "(Default)" With data: "redir" In subkeys: HKLM\redir.RFilter\CurVer HKCU\redir.RFilter\CurVer Sets value: "(Default)" With data: "redir.RFilter.1" Creates subkeys: HKLM\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156} HKCU\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156} Payload Downloads instructions from a remote server Trojan:Win32/Merdirt.A attempts to download a JavaScript file containing instructions from any of the following servers:ironbee.info yoonohelper.info As of this writing, these servers are no longer available. Depending on what instructions are contained within the downloaded file, Trojan:Win32/Merdirt.A can:kill a process in the current computer run a program in the current computer send information about the current computer get content from the JavaScript page download a remote file Additional information Trojan:Win32/Merdirt.A may arrive bundled with a free plugin from the website get-styles.com.
Analysis by Daniel RaduLast update 09 October 2010
