Home / malware Trojan:Win32/Dembr.C
First posted on 26 March 2013.
Source: MicrosoftAliases :
Trojan:Win32/Dembr.C is also known as TR/Inject.48128 (Avira), Trojan.Downloader8.21437 (Dr.Web), Trojan/Win32.XwDoor (other).
Explanation :
Installation
Trojan:Win32/Dembr.C opens and injects itself into a new Internet Explorer process.
Payload
Steals information about your computer
The trojan gathers information about your computer, such as the following:
- The computer's name
- The registered owner
- The registered organization
- The date you installed Windows
It encrypts and sends this data in the form of a unique ID to one of the following servers:
- 199.73.28.6
- 201.28.100.133
- 216.55.164.86
- 96.39.210.33
Note: At the time of analysis, these servers were unavailable for further investigation.
It receives encrypted data from the servers, which it decrypts and writes to a mailslot it created on your network (for example, "\\.mailslot\~DF124").
As the servers are currently inaccessible, we are unable to determine the exact nature of the received data.
Analysis by Alden Pornasdoro
Last update 26 March 2013
