Home / malware Trojan:Win32/Enchanim
First posted on 09 July 2012.
Source: MicrosoftAliases :
Trojan:Win32/Enchanim is also known as Trojan.Win32.Menti.noix (Kaspersky), WORM_SLENFBOT.JX (Trend Micro).
Explanation :
Trojan:Win32/Enchanim is a trojan that attempts to stop multiple security-related processes for the purpose of downloading and running other malicious code such as Worm:Win32/Gamarue.F.
Installation
This trojan is installed by other malware and is present as a randomly named file in the Windows system folder. The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Enchanim executes, it inject its code into running processes, including the following, for example:
Payload Terminates processes Trojan:Win32/Enchanim attempts to stop the following processes, many of which are security-related:
- csrss.exe
- explorer.exe
- lsass.exe
- svchost.exe
Downloads other malware Trojan:Win32/Enchanim may contact a remote host at 188.190.98.166 using port 80 to download other malware, such as Worm:Win32/Gamarue.F. This trojan was also observed to contact a remote host at 31.186.102.156 using port 80.
- cfp.exe
- avp.exe
- kaspersky.exe
- op_mon.exe
- mcafee.exe
- mcagent.exe
- mcshield.exe
- mctray.exe
- mcsvhost.exe
- mfevtps.exe
- mfefire.exe
- zonealarm.exe
- egui.exe
- nod32.exe
- ekrn.exe
- nod32kui.exe
- msseces.exe
- spiderui.exe
- drwagntd.exe
- drwagnui.exe
- spiderml.exe
- spidernt.exe
- avscan.exe
- avnotify.exe
- avgnt.exe
- ashdisp.exe
- AVGIDSMonitor.exe
- avgnsx.exe
- avgcsrvx.exe
- avgrsx.exe
- avgw.exe
- avgamsvr.exe
- avg.exe
- avgwdsvc
- norton.exe
- ccsvchst.exe
- psctrls.exe
- pavfnsvr.exe
- pshost.exe
- avengine.exe
Analysis by Jeong Mun
Last update 09 July 2012
