Home / malware

PDF

TrojanDropper:Win32/Cucirk.A

First posted on 22 February 2012.
Source: Microsoft

Aliases :

TrojanDropper:Win32/Cucirk.A is also known as Trojan horse PSW.KeyLogger.AEM.dropper (AVG), TR/Spy.Gen (Avira), Trojan.Win32.Spy (Ikarus).

Explanation :

TrojanDropper:Win32/Cucirk.A is a trojan that drops another malware, which is detected as Backdoor:Win32/Cucirk.A.


Top

TrojanDropper:Win32/Cucirk.A is a trojan that drops another malware, which is detected as Backdoor:Win32/Cucirk.A.



Installation

TrojanDropper:Win32/Cucirk.A is present in the computer as the following file:

%Temp%\<random number>_res.tmp



Payload

Drops other malware

TrojanDropper:Win32/Cucirk.A drops the following file, which is detected as Backdoor:Win32/Cucirk.A:

%AppData\recycler.dll

It also drops the following file, which links back to the dropped DLL malware; its location ensures that the DLL file automatically runs at each Windows start:

<startup folder>\windows security center.lnk

Note: <startup folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.



Analysis by Patrick Estavillo

Last update 22 February 2012

 

TOP