Home / malware Trojan:Win32/Horst.gen!C
First posted on 01 May 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Horst.gen!C.
Explanation :
Trojan:Win32/Horst.gen!C is a peer-to-peer file sharing component of the multiple-component Win32/Horst family. Files detected by this signature may be used to establish a peer-to-peer connection with other infected systems via the eDonkey/eMule P2P file sharing networks. This connection can then be used to download and execute files from, or distribute them to, the other affected systems. It may also be used to attempt to spread other Horst components to eDonkey/eMule users. Many of the components distributed by Horst are associated with sending spam.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
%temp%dnkzlib1.dll
%temp%mdmm.exe
%temp%mdm.exe
Trojan:Win32/Horst.gen!C is a peer-to-peer file sharing component of the multiple-component Win32/Horst family. Files detected by this signature may be used to establish a peer-to-peer connection with other infected systems via the eDonkey/eMule P2P file sharing networks. This connection can then be used to download and execute files from, or distribute them to, the other affected systems. It may also be used to attempt to spread other Horst components to eDonkey/eMule users. Many of the components distributed by Horst are associated with sending spam.
Installation
Trojan:Win32/Horst.gen!C is downloaded and installed by other components of the Win32/Horst family. This process is described in more detail in the Win32/Horst family description. The component is generally found in the %temp% directory, and at the time of publication typically used filenames such as mdmm.exe or mdm.exe. When first installed it may attempt to download a clean zip library from a location such as rec.faderups.com or up.taterop.com and save it to %temp%dnkzlib1.dll.Spreads Via…This component does not spread independently. However it may use the eDonkey/eMule P2P file sharing network to spread a component via which it may indirectly be downloaded to other systems.
Payload
Downloads/Shares Files via P2P File SharingHorst downloads some configuration information, including details of the IP addresses and ports of the eDonkey servers, from locations such as the following:rec.faderups.com up.taterop.com hasteman.com It may also read configuration information from files previously written by other Horst components. Configuration files are typically stored in a directory such as %temp%dnk. It then uses eDonkey/eMule to establish connections with other affected systems. This connection may be used to download and execute other Horst components. Once the components have been downloaded, they may also be distributed to other affected systems. Downloaded components are typically associated with the sending of spam, and may be stored in the %temp%dnkshared directory. The malware may also be requested to attempt to distribute files to other users of the eDonkey/eMule P2P network. This is typically a downloader component of Horst, with a filename that masquerades as a crack for popular software programs. The following suffixes may be appended to the filenames used (sometimes with the spaces replaced by underscores):- NoCD Crack KeyGen.exe Crack Patch Serial Keygen.exe + CRACK + NOCD.exe + CRACK + ACTIVATOR.EXE keygen crack patch.exe crack0.exe serial0 keygen0.exe crack keygen.exe For example, the following filenames have been observed:“PDFIn PDF to DWG Converter 2008 crack0.exe” “DAEMON Tools 4.12 serial0 keygen0.exe” “Norton Ghost 14 serial0 keygen0.exe” Snood_-_NoCD_Crack_KeyGen.exe FIX-IT_UTILITIES_+_CRACK_+_ACTIVATOR.exe splinter cell chaos theory_keygen_crack_patch.exe
Analysis by David WoodLast update 01 May 2009
