Home / malwarePDF  

Trojan:Win32/Estiwir.A


First posted on 16 May 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Estiwir.A is also known as Win-Trojan/Agent.42496.US (AhnLab), W32/OnlineGames.IS.gen!Eldorado (Command), Trojan.Win32.Mixil.f (Kaspersky), winpe/Suspicious_Gen4.CFUOV (Norman), Win32/DH.FF85019D{Mw} (AVG), TR/Spy.Browser.1894 (Avira), Gen:Trojan.Heur.bi5@ID6llpi (BitDefender), Trojan.Siggen4.56382 (Dr.Web), Win32/TrojanDownloader.Agent.RRX trojan (ESET), Packer.Malware.NSAnti (Ikarus), Generic.atg-FAXG!39BB69F46394 (McAfee), Trojan.PSW.OnlineGames!4D9C (Rising AV).

Explanation :



Installation

Trojan:Win32/Estiwir.A arrives on your computer as a .DLL file. It is downloaded by other trojans, including PWS:Win32/OnLineGames.AH and PWS:Win32/Lolyda.BF.

It is installed in the <system folder> as Midimap.dll, replacing the legitimate Midimap.dll file.

Payload

Downloads other malware

When run, Trojan:Win32/Estiwir.A is injected to Explorer.exe. It then downloads and runs other malware, including PWS:Win32/OnLineGames.AH.

The downloaded malware files are saved and run in the %TEMP% folder with the filename <10 numbers>.exe, for example: 7223939032.exe.

In the wild, we had seen additional malware downloaded from the following URLS:

  • blue.iaevkw.com/<removed>/sheet3.rar
  • blue.ixcylp.com/<removed>/sheet3.rar
  • now.eyrzaz.com/<removed>/witer3.rar
  • now.toilez.com/<removed>/witer3.rar
  • pler.znfzvd.com/<removed>/witer3.rar
  • pler.zrjqgg.com/<removed>/witer3.rar
  • zip.hvtmcb.com/<removed>/witer3.rar
  • zip.kairwu.com/<removed>/witer3.rar
  • zip.ndksgu.com/<removed>/witer3.rar
  • zip.nnmyuk.com/<removed>/witer3.rar
  • zip.ogagud.com/<removed>/witer3.rar
  • zip.ojpbvw.com/<removed>/witer3.rar
  • zip.qsmoeu.com/<removed>/witer3.rar
  • zip.rwzuok.com/<removed>/witer3.rar
The downloaded malware is detected as PWS:Win32/OnLineGames.AH.

Stops service and deletes files

We have seenTrojan:Win32/Estiwir.A stop the following services:


  • EstRtwIFDrv
  • v3engine


The trojan deletes the <system folder>\drivers\EstRtw.sys. This file is related to the EstRtwIFDrv service.

These services are related to AhnLab security software and an ESTsoft Corp application. It likely stops these services to prevent detection.



Analysis by Ric Robielos

Last update 16 May 2013

 

TOP

Malware :

Family: