Home / malware Trojan-Downloader:W32/Mebroot.gen!B
First posted on 08 July 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:W32/Mebroot.gen!B.
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Additional DetailsTrojan-Downloader:W32/Mebroot.gen!B is a Generic Detection that identifies the downloader program responsible for fetching the Mebroot installer.
The downloader is known to be distributed to users via a malicious website (driveby download) or via an exploit.
When active, the downloader downloads an encrypted file on port 443 or 80 from:
• http://bcoxgcgxes.com (encrypted file)
where (encrypted file) is a defined string. This string is unique in every sample.
Once downloaded, the encrypted file is first saved in an allocated memory where it will be decrypted, then saved to a file in a temporary folder. The file will then be executed.
The encrypted file is encrypted with an RC2 encryption algorithm. The Cipher Hash that is used in the decryption is based on a defined string that is also unique in every sample.Last update 08 July 2009
