Home / malware TrojanDownloader:MSIL/Truado.C
First posted on 07 October 2013.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:MSIL/Truado.C.
Explanation :
Threat behavior
Installation
TrojanDownloader:MSIL/Truado.C arrives on your computer as a download from a malicious website. It uses the file name AdobeUpdater.exe to trick you into downloading and running it.
Once installed it uses an AdobeFlash icon to trick you into thinking it is a legitimate file and running it:
When run, the trojan shows the following dialog box to make itself look like an Adobe update:
In the background, the trojan copies itself as %APPDATA%/startme.exe.
The trojan creates the following registry entry to ensure that it runs each time you start your computer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Adobe Updater
With data: "%APPDATA%/startme.exe"
Payload
Downloads other malware
Once installed on your computer the trojan makes an HTTP request to cdn.videowatchs.us/<removed>/check2.txt.
The server gives the trojan instructions to download other malware, which we detect as TrojanDropper:MSIL/Mevcadif.A.
TrojanDropper:MSIL/Mevcadif.A also installs other malware.
Analysis by Swapnil Bhalode
Symptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
%APPDATA%/ startme.exe
- The presence of the following registry modifications:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: Adobe Updater
With data: "%APPDATA%/startme.exe"
Last update 07 October 2013
