Home / malware TrojanDropper:Win32/Waltrodock.A
First posted on 05 May 2012.
Source: MicrosoftAliases :
TrojanDropper:Win32/Waltrodock.A is also known as TR/Darkmegi.A (Avira), Trojan.PWS.Gamania.34873 (Dr.Web), a variant of Win32/CsNowDown.C (ESET), Trojan-Spy.Win32.Agent.bxix (Kaspersky), Downloader.Darkmegi (Symantec), TROJ_DLOAD.QYUA (Trend Micro).
Explanation :
TrojanDropper:Win32/Waltrodock.A is a trojan that installs other components of the Win32/Waltrodock malware family.
Installation
When run, this trojan executes a Windows utility executable named "ipconfig.exe". The trojan dropper then runs its malware installation payload.
After running its payload routine, and as a cleanup procedure, the torjan dropper writes and executes a batch script to delete itself.
Payload
Installs other malware
This trojan dropper creates the following files:
- %systemroot%\System32\drivers\com32.sys - Trojan:WinNT/Waltrodock.A
- %systemroot%\System32\com32.dll - Trojan:Win32/Waltrodock.A
It installs the component "com32.sys" as a service named "Com32" and also executes Trojan:Win32/Waltrodock.A by running the following instruction:
- rundll32.exe %sysdir%\com32.dll GetInterface
TrojanDropper:Win32/Waltrodock.A searches for the following processes in memory:
- SpStart.exe
- IRPro.exe
- Remon.exe
If found, the trojan drops another file component:
- %systemroot%\System32\FileDisk.sys - detected as Trojan:Win32/Waltrodock.A
This dropped component is installed to run as a service named "FileDisk". TrojanDropper:Win32/Waltrodock.A attempts to drop a copy of itself as the following:
- z:\%systemroot%\System32\userinit.exe
Analysis by Vincent Tiu
Last update 05 May 2012
