Home / malwarePDF  

TrojanDownloader:Win32/Dalexis.C


First posted on 18 December 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Dalexis.C.

Explanation :

Threat behavior

Installation

This threat usually arrives on your PC as a Windows Cabinet archive file (.cab) attached to a spam email. We have seen the attachment use the following file names:

  • CA-77509WAF-88414.cab
  • DO-64647JYG-84271.cab
  • DO-64647JYG-84271.cab
  • DOGE-41300LEX-96167.cab
  • LE-75482VE-87616.cab
  • NY-92939JOB-11883.cab
  • TIW-42068GEJE-40781.cab
  • WIZA-32992ZURA-35632.cab
  • XO-80756NE-25867.cab


Below is an example of the spam email:

From:
Date: 16 December 2014 at 13:32
Subject: Attention: BE-99298QES-37681
To:

===========================================
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
===========================================

Notification Number: 3222619
Mandate Number: 4440667
Date: December 16, 2014. 02:13pm

In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file "BE-99298QES-37681.cab" for details.

Sincerely,

+07700 18 51 04

The attached .cab file contains a file with the same file name as the .cab file but with a .scr extension. The file uses the Microsoft Word icon, but is actually an executable file that will run if you double click it or try to open it.

The .scr file might look like the following:



Payload

Downloads updates and other malware

When the .scr file is run or opened, it will try to contact a remote server to download other threats.

It also extracts another .cab file that contains a non-malicious Microsoft Word document (.rtf file). It does this to trick you into thinking the .scr file is a harmless Word document.

The .rtf file is usually dropped in the %TEMP% folder using a random file name, for example %TEMP%\52764265.cab.

See the sample .rtf file below:



The .scr file checks for an Internet connection by connecting to a legitimate website, for example windowsupdate.microsoft.com. It then connects to a remote host to download other malware. The remote host's address is hard-coded into the malware.

We have seen it try to connect to the following hosts and download files:

  • dequinnza/language/upupup.tar.gz
  • fotocb./upupup.tar.gz
  • lamas/picture_library/upupup.tar.gz
  • stmarys-andover./upupup.tar.gz


The downloaded file can include updates or other malware. We have seen this threat download the following malware:

  • Win32/Vawtrak
  • Win32/Zbot




Analysis by Rex Plantado

Symptoms

The following can indicate that you have this threat on your PC:

  • You see Word files with a .scr extension like the following:

  • You have a file similar to the following:

Last update 18 December 2014

 

TOP

Malware :

Family: