Home / malware TrojanDropper:Win32/Duberath.A
First posted on 26 April 2010.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Duberath.A is also known as Dropper/Muldrop.180224.B (AhnLab), Win32/VB.OWN (ESET), Trojan-Dropper.Win32.Mulrop.hcm (Kaspersky), W32/Mudrop.CJX (Norman), Trojan.Dosvine (Symantec), TROJ_FAYKDOBE.A (Trend Micro).
Explanation :
TrojanDropper:Win32/Duberath.A is Microsoft's detection for a trojan dropper pretending to be an Adobe Flash Player update. The trojan installs variants of Win32/Duberath, a trojan that allows unauthorized remote access and control of an affected computer.
Top
TrojanDropper:Win32/Duberath.A is Microsoft's detection for a trojan dropper pretending to be an Adobe Flash Player update. The trojan installs variants of Win32/Duberath, a trojan that allows unauthorized remote access and control of an affected computer. InstallationWhen executed, TrojanDropper:Win32/Duberath.A installs other variants of Win32/Duberath. For example, we have observed this trojan to distribute various components, including some with backdoor functionality, by installing the following files: %ProgramFiles%\Adobe\Reader 9.0\Reader\zf32.dll - ZLib helper
%ProgramFiles%\Adobe\Reader 9.0\Reader\AdobeUpdater.exe - Trojan:Win32/Duberath.B
%ProgramFiles%\Windows Defender\MPClient.exe - Trojan:Win32/Duberath.C
%ProgramFiles%\Windows Defender\MPSvc.exe - Trojan:Win32/Duberath.D
%ProgramFiles%\Common Files\System\TableTextService.exe - Trojan:Win32/Duberath.E
%Windir%\system32\zf32.dll - ZLib helper
%Windir%\system32\mscommon.inf - packed data
%Windir%\system32\msconfig32.sys - corrupted file
%Windir%\system32\Setup\zf32.dll - ZLib helper %Windir%\system32\Setup\AdobeUpdater.exe - Trojan:Win32/Duberath.B
%Windir%\system32\Setup\MPClient.exe - Trojan:Win32/Duberath.C
%Windir%\system32\Setup\MPSvc.exe - Trojan:Win32/Duberath.D
%Windir%\system32\Setup\TableTextService.exe - Trojan:Win32/Duberath.E The registry is modified to run the installed components at each Windows start: Adds value: "Microsoft Text Input Processor"With data: "%ProgramFiles%\Common Files\System\TableTextService.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "Adobe Update Manager"With data: "%ProgramFiles%\Adobe\Reader 9.0\Reader\AdobeUpdater.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "Microsoft Text Input Processor"With data: "%ProgramFiles%\Common Files\System\TableTextService.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "Adobe Update Manager"With data: "%ProgramFiles%\Adobe\Reader 9.0\Reader\AdobeUpdater.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The Windows firewall policy is modified to allow the installed malware to bypass being blocked by the firewall: Adds value: "%ProgramFiles%\Adobe\Reader 9.0\Reader\AdobeUpdater.exe"With data: "%ProgramFiles%\Adobe\Reader 9.0\Reader\AdobeUpdater.exe:*:Enabled:Adobe Software Updater"To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List Payload Connects to remote serversThe installed components attempt to connect to the following remove servers: www.update-adobe.com:80
adobe.ath.cx:80
tyuqwer.dyndns.org:80
ymail.ath.cx:8585
voanews.ath.cx:8585
Analysis by Jireh SanicoLast update 26 April 2010
