Home / malwarePDF  

Trojan:Win32/Chymine.A


First posted on 24 July 2010.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Chymine.A.

Explanation :

Trojan:Win32/Chymine.A is a trojan that drops a keylogging malware detected as TrojanSpy:Win32/Chymine.A. It consists of several components: an .EXE component and a .DLL component. It may be launched and installed by Exploit:Win32/CplLnk.A.
Top

Trojan:Win32/Chymine.A is a trojan that drops a keylogging malware detected as TrojanSpy:Win32/Chymine.A. It consists of several components: an .EXE component and a .DLL component. It may be launched and installed by Exploit:Win32/CplLnk.A. Installation Trojan:Win32/Chymine.A may arrive in the computer as a .DLL file that is launched and installed by other malware, such as Exploit:Win32/CplLnk.A. It may arrive with the following file name:

  • GdWbpvo.dll
    • It downloads the following file:
  • bin.exe - also detected as Trojan:Win32/Chymine.A
    • It downloads this file from the following IP address:
  • 205.209.171.119
    • The downloaded file is saved as the following:
  • %APPDATA%\conime.exe
    • The downloaded file is then executed. Payload Drops other malware Trojan:Win32/Chymine.A drops a .DLL component as the following:
  • %Temp%\..\<random file name>.dll (for example, "BB062E.dll") - detected as TrojanSpy:Win32/Chymine.A
    • This .DLL component may register itself as a system service that is loaded by the legitimate Windows process "svchost.exe". It may also inject code into other system processes, such as "winlogon.exe". The .DLL component of Trojan:Win32/Chymine.A is capable of performing the following malicious action:
  • Record keystrokes
    • Additional information Trojan:Win32/Chymine.A copies the following legitimate Windows file to a different location:
  • <system folder>\rundll32.exe -> %Temp%\..\<random file name>.exe (for example, "BB062E.exe")
    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

    Analysis by Tim Liu

    Last update 24 July 2010

     

    TOP

    Malware :

    Family: