Home / malware TrojanDownloader:Win32/Safwin.A
First posted on 18 January 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Safwin.A is also known as Trojan.DownLoader4.60524 (Dr.Web), Trojan.Win32.Fednu.tnt (Rising AV).
Explanation :
TrojanDownloader:Win32/Safwin.A is a program that reports certain software installations to a remote server and downloads and installs arbitrary files without adequate user consent.
Top
TrojanDownloader:Win32/Safwin.A is a program that reports certain software installations to a remote server and downloads and installs arbitrary files without adequate user consent.
Installation
TrojanDownloader:Win32/Safwin.A may be distributed as a file with an enticing name such as "Windows-PlayerS1.52.EXe". When run, it creates a mutex named "mutex_UpSoft_.x" and performs its payload.
Payload
Communicates with a remote server
TrojanDownloader:Win32/Safwin.A checks for the presence of files within the following folder locations:
- E:\Program Files\360\360Safe
- D:\Program Files\360\360Safe
- C:\Program Files\360\360Safe
Win32/Safwin reports its discovery to a server named "vip.yaquio.com" using a server-side PHP script.
Downloads arbitrary files
Win32/Safwin creates the following file folders that are used to store downloaded files:
c:\WinSafe\
c:\Program Files\Wcsmie
TrojanDownloader:Win32/Safwin.A attempts to download files from the domain "d.5656mu.com" as the following:
- c:\WinSafe\FunshionInstall2.4.2.56.exe
- c:\WinSafe\Rwin.exe
- c:\WinSafe\TangShi.vbe
- c:\WinSafe\SongCi.vbe
- c:\WinSafe\KuaiZip_Setup_10062.exe
- c:\Program Files\Wcsmie\Masker.dat
The executable files are then run.
Analysis by Alden Pornasdoro
Last update 18 January 2012
