Home / malwarePDF  

TrojanDownloader:Win32/Dalexis


First posted on 23 September 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Dalexis.

Explanation :

Threat behavior

Installation


The threat contains an embedded clean CAB file which it drops in the %TEMP% folder. It uses a file name in the format temp_cab_.cab, for example temp_cab_387640.cab.

The CAB file contains a document that is embedded in the binary and run using createprocess to open the file on your PC. We have seen the document appear as an RTF or PDF file.

In the wild, we've seen the document claim to be an invoice, as in this example:



The trojan may arrive as an attachment in a spammed email message generated by a member of the Win32/Cutwail family of malware.

We have seen the attachment use file names similar to the following:

  • order_2014-09-03_10-09-41_1218448113.arj
  • bill_2014-09-10_09-32-00_26934258393.arj
  • sale_2014-09-02_09-24-16_28083729575.arj


As seen in these examples, the attachment claims to be a receipt, invoice, or some other document related to an order or sale.

Payload


Downloads updates or other malware

The threat checks for an Internet connection by connecting to a clean website, such as windowsupdate.microsoft.com.

If successful, it connects to a remote host that is hardcoded in its binary to download other malware. We have seen it connect to the following domains:

  • pubbliemme.com
  • agatecom.fr
  • baselineproduction.fr


In the wild, we have seen this malware download updates of itself and variants of the Win32/Zbot family (including PWS:Win32/Zbot.gen!GOA).

We've seen it download other malware, including PWS:Win32/Zbot.gen!GOA and Trojan:Win32/Tinba.A, and save it to the %TEMP% folder with the file name update_.exe, for example update_387640.exe.



Analysis by Rodel Finones

Symptoms

You might have this threat if you see a fake invoice or receipt similar to the one shown in the Technical information tab.

Last update 23 September 2014

 

TOP