Home / malware TrojanDropper:Win32/Rochap.A
First posted on 07 April 2009.
Source: SecurityHomeAliases :
There are no other names known for TrojanDropper:Win32/Rochap.A.
Explanation :
Win32/Rochap is a multi-component trojan that downloads and executes arbitrary files.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
<system folder>48964.dll
<system folder>37554.exe
Win32/Rochap is a multi-component trojan that downloads and executes arbitrary files.
Installation
When executed, Rochap drops a DLL to <system folder>48964.dll and loads this file.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista
is C:WindowsSystem32.
Payload
Downloads and Executes Arbitrary Files
When the DLL is loaded, it contacts the www.orthodoxie-oostende.org domain, downloads a file to <system folder>37554.exe and executes it. This downloaded file is detected as Trojan:Win32/Rochap.A. While downloading, Rochap launches Internet Explorer and displays a video from youtube.com, presumably to distract the affected user and hide its actions.
Analysis by Shawn WangLast update 07 April 2009
