Home / malwarePDF  

TrojanDropper:Win32/Dwonk.A


First posted on 05 November 2012.
Source: Microsoft

Aliases :

TrojanDropper:Win32/Dwonk.A is also known as BackDoor-EJG (McAfee), TROJ_RENOS.SM (Trend Micro), Trojan.MulDrop.46689 (Dr.Web), Trojan.Win32.Chydo.cfs (Kaspersky), Trojan/Win32.Chydo (AhnLab), Trojan-Dropper.Win32.Dwonk (Ikarus), W32/AutoRun.BPRM (Norman), W32/Trojan2.JXKJ (Command), Worm.AutoRun!J+Zo+yC5Sik (VirusBuster).

Explanation :



TrojanDropper:Win32/Dwonk.A is a trojan that installs other malware, such as Trojan:Win32/Killav.DP (a trojan that attempts to uninstall multiple antivirus and firewall programs) and Worm:Win32/Pykspa.C (a worm that spreads via Skype messaging, Twitter, mapped drives and network shares).



Installation

TrojanDropper:Win32/Dwonk.A runs from where it was executed in order to perform its payload. It does not install itself on your computer.



Payload

Drops and installs other malware

TrojanDropper:Win32/Dwonk.A drops an executable file (EXE) with an 11-character file name into the %TEMP% folder, as in the following examples:

  • <TEMP>\fplgxhdypzv.exe
  • <TEMP>\vbvlntndflf.exe


Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

The dropped file is detected as Worm:Win32/Pykspa.C, a worm that spreads via Skype messaging, Twitter, and network drives and shares.

TrojanDropper:Win32/Dwonk.A also drops a DLL file with an eight-character file name into the %TEMP% folder, as in the following examples:

  • <TEMP>\jkzeetek.dll
  • <TEMP>\ynyepkbf.dll


The DLL file is detected as Trojan:Win32/Killav.DP, a trojan that attempts to uninstall security-related software, such as antivirus and firewall programs.

The DLL component is installed if one of the following security-related processes is running on your computer:

  • ashserv.exe
  • avgcsrvx.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avp.exe
  • bdagent.exe
  • ccsvchst.exe
  • ekrn.exe
  • fsgk32st.exe
  • gdscan.exe
  • mcmscsvc.exe
  • PsCtrlS.exe
  • pshost.exe
  • vsserv.exe
  • zlclient.exe
Additional information

TrojanDropper:Win32/Dwonk.A generates random-seeming file names for the EXE and DLL files based on your computer's name. This ensures that only one instance of the malware will be dropped on your computer at any one time.

Related encyclopedia entries

Trojan:Win32/Killav.DP

Worm:Win32/Pykspa.C



Analysis by Rodel Finones

Last update 05 November 2012

 

TOP

Malware :

Family: