Home / malwarePDF  

TrojanDownloader:Win32/Carberp.A


First posted on 17 September 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Carberp.A is also known as Backdoor.Win32.IRCNite.jg (Kaspersky), Trojan.Zbot (Symantec).

Explanation :

TrojanDownloader:Win32/Carberp.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer.
Top

TrojanDownloader:Win32/Carberp.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer. Installation When executed, TrojanDownloader:Win32/Carberp.A copies itself to the following locations:

  • c:\documents and settings\administrator\local settings\temp\11.tmp
  • c:\documents and settings\administrator\start menu\programs\startup\msconfig32.exe

    • The malware creates the following files on an affected computer:
  • c:\documents and settings\administrator\local settings\temp\10.tmp
  • c:\documents and settings\administrator\local settings\temp\12.tmp
  • c:\documents and settings\administrator\local settings\temp\13.tmp
  • c:\documents and settings\administrator\local settings\temp\14.tmp
  • c:\documents and settings\administrator\local settings\temp\15.tmp
  • c:\documents and settings\administrator\local settings\temp\16.tmp
  • c:\documents and settings\administrator\local settings\temp\17.tmp
  • c:\documents and settings\administrator\local settings\temp\e.tmp
  • c:\documents and settings\administrator\local settings\temp\f.tmp

    • The malware utilizes code injection in order to hinder detection and removal. When TrojanDownloader:Win32/Carberp.A executes, it may inject code into running processes, including the following, for example:

  • explorer.exe

    • Payload Contacts remote host TrojanDownloader:Win32/Carberp.A may contact a remote host at iliked.org using port 80. Commonly, malware may contact a remote host for the following purposes:
    • To report a new infection to its author
    • To receive configuration or other data
    • To download and execute arbitrary files (including updates or additional malware)
    • To receive instruction from a remote attacker
    • To upload data taken from the affected computer

    This malware description was produced and published using our automated analysis system's examination of file SHA1 f0711c3d8a16974334e851fa267eed90b209873a.

    Last update 17 September 2010

     

    TOP

    Malware :

    Family: