Home / malware TrojanDropper:Win32/Otlard.A
First posted on 28 September 2010.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Otlard.A is also known as Rootkit.Win32.Otlard.a (Kaspersky), W32/Rootkit.AJIF (Norman), Rootkit.Agent.GUVF (VirusBuster), Rootkit.14382 (BitDefender), Win32/Rootkit.Agent.NJG (ESET), Trojan.Win32.Nodef.ecm (Rising AV), Hacktool.Rootkit (Symantec), TROJ_OTLARD.SM (Trend Micro).
Explanation :
TrojanDropper:Win32/Otlard.A is a trojan that drops and registers Trojan:WinNT/Otlard.B as a service.
Top
TrojanDropper:Win32/Otlard.A is a trojan that drops and registers Trojan:WinNT/Otlard.B as a service. Payload Drops other malware TrojanDropper:Win32/Otlard.A drops a randomly named .sys file under the "<system folder>\drivers" folder. The dropped file is detected as Trojan:WinNT/Otlard.B. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It creates a registry entry with the same random name to register and load its dropped file as a service: In subkey: HKLM\System\CurrentControlSet\Services\<randomly-generated service name> Sets value: "ImagePath" With data: "<system folder>\drivers\<.sys file>" In the wild, the dropped file has been known to be named "jaa01fc.sys".
Analysis by Marianne MallenLast update 28 September 2010