Home / malware TrojanDropper:Win32/Dwonk.A
First posted on 05 November 2012.
Source: MicrosoftAliases :
TrojanDropper:Win32/Dwonk.A is also known as BackDoor-EJG (McAfee), TROJ_RENOS.SM (Trend Micro), Trojan.MulDrop.46689 (Dr.Web), Trojan.Win32.Chydo.cfs (Kaspersky), Trojan/Win32.Chydo (AhnLab), Trojan-Dropper.Win32.Dwonk (Ikarus), W32/AutoRun.BPRM (Norman), W32/Trojan2.JXKJ (Command), Worm.AutoRun!J+Zo+yC5Sik (VirusBuster).
Explanation :
TrojanDropper:Win32/Dwonk.A is a trojan that installs other malware, such as Trojan:Win32/Killav.DP (a trojan that attempts to uninstall multiple antivirus and firewall programs) and Worm:Win32/Pykspa.C (a worm that spreads via Skype messaging, Twitter, mapped drives and network shares).
Installation
TrojanDropper:Win32/Dwonk.A runs from where it was executed in order to perform its payload. It does not install itself on your computer.
Payload
Drops and installs other malware
TrojanDropper:Win32/Dwonk.A drops an executable file (EXE) with an 11-character file name into the %TEMP% folder, as in the following examples:
- <TEMP>\fplgxhdypzv.exe
- <TEMP>\vbvlntndflf.exe
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
The dropped file is detected as Worm:Win32/Pykspa.C, a worm that spreads via Skype messaging, Twitter, and network drives and shares.
TrojanDropper:Win32/Dwonk.A also drops a DLL file with an eight-character file name into the %TEMP% folder, as in the following examples:
- <TEMP>\jkzeetek.dll
- <TEMP>\ynyepkbf.dll
The DLL file is detected as Trojan:Win32/Killav.DP, a trojan that attempts to uninstall security-related software, such as antivirus and firewall programs.
The DLL component is installed if one of the following security-related processes is running on your computer:
Additional information
- ashserv.exe
- avgcsrvx.exe
- avgrsx.exe
- avgtray.exe
- avguard.exe
- avp.exe
- bdagent.exe
- ccsvchst.exe
- ekrn.exe
- fsgk32st.exe
- gdscan.exe
- mcmscsvc.exe
- PsCtrlS.exe
- pshost.exe
- vsserv.exe
- zlclient.exe
TrojanDropper:Win32/Dwonk.A generates random-seeming file names for the EXE and DLL files based on your computer's name. This ensures that only one instance of the malware will be dropped on your computer at any one time.
Related encyclopedia entries
Trojan:Win32/Killav.DP
Worm:Win32/Pykspa.C
Analysis by Rodel Finones
Last update 05 November 2012