Home / malware TrojanDownloader:Win32/Karagany.I
First posted on 22 February 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Karagany.I is also known as Trojan/Win32.Jorik (AhnLab), TR/Karagany.lnbh (Avira), Win32/TrojanDownloader.Vespula.AF (ESET), Trojan.Win32.Menti.lbbw (Kaspersky), Mal/Miio-B (Sophos).
Explanation :
TrojanDownloader:Win32/Karagany.I is a detection for an installer component of the "Incognito exploit pack". The component downloads and executes other malware to perform the next payload. Win32/Karagany is a multiple-component trojan that communicates with a command and control (C&C) server.
Top
TrojanDownloader:Win32/Karagany.I is a detection for an installer component of the "Incognito exploit pack". The component downloads and executes other malware to perform the next payload.
After performing its malicious routine, the trojan removes its presence by deleting its installed copy.
Installation
TrojanDownloader:Win32/Karagany.I is encountered when visiting certain websites that contain the "Incognito exploit pack" and is run by a malicious Java applet. The pack uses a series of exploits to maximize the chance of executing successfully.
Payload
Downloads other malware
TrojanDownloader:Win32/Karagany.I connects to a remote server using HTTP protocol (TCP port 80), which sends an encrypted malware binary file in reply. This file is then decrypted and executed by TrojanDownloader:Win32/Karagany.I. In the wild, this trojan has been observed to download and execute variants of the following malware families:
- Win32/Sirefef
- Win32/FakeRean
The downloaded file may be saved in the %TEMP% folder as sequential hexadecimal file names, as in the following examples:
- %TEMP%\~!#7.tmp
- %TEMP%\~!#8.tmp
- %TEMP%\~!#9.tmp
- %TEMP%\~!#a.tmp
- %TEMP%\~!#b.tmp
Analysis by Sergey Chernyshev
Last update 22 February 2012
