Home / malwarePDF  

TrojanDownloader:Win32/Monkif.T


First posted on 23 November 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Monkif.T is also known as Trojan-Downloader.Win32.Myxa.czh (Kaspersky), Downloader-BLV.gen.b (McAfee), Trojan.DL.Myxa.AAH (VirusBuster).

Explanation :

TrojanDownloader:Win32/Monkif.T is a trojan that downloads other malware. It arrives as a DLL file that may be dropped and loaded by other Win32/Monkif variants.
Top

TrojanDownloader:Win32/Monkif.T is a trojan that downloads other malware. It arrives as a DLL file that may be dropped and loaded by other Win32/Monkif variants. InstallationTrojanDownloader:Win32/Monkif.T may arrive in the computer as a DLL component such as the following:

  • %windir%\msyuv32.dll
  • It may be dropped and loaded by other Win32/Monkif variants. When run, it creates a mutex named "UIEI" to avoid multiple instances of the trojan running at the same time. Payload Downloads and executes arbitrary filesTrojanDownloader:Win32/Monkif.T downloads malware from predefined Web sites, such as the following:
  • media9s.com
  • nopagency.com
  • 88.80.7.152
  • The URL access is based on gathered system information, and in the following format: <server>/photo/<random string1>.php?dti=<system data string2> Where the above data is generated from the following: <random string1> - random text based on how long the trojan has run on the infected computer <system data string2> - data such as the type of Internet connection and what AV or security programs are running on the machine The troajn attempts to connect to the above listed servers in between specific time intervals to download and run arbitrary files. The downloaded file is then executed on the infected computer.

    Analysis by Rex Plantado

    Last update 23 November 2010

     

    TOP