Home / malware TrojanSpy:Win32/Chadem.A
First posted on 27 March 2009.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Chadem.A is also known as Also Known As:Win32/FakeAv!generic (CA), Trojan-Downloader.Win32.Delf.ppt (Kaspersky), W32/Delf.CTYH (Norman), Troj/Agent-IEI (Sophos), Backdoor.Tidserv (Symantec).
Explanation :
Win32/Chadem.A is a trojan that steals password details from an affected machine.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following file:
%Appdata%winlogon.exe
Win32/Chadem.A is a trojan that steals password details from an affected machine.
Installation
When executed Win32/Chadem.A copies itself to %APPDATA%winlogon.exe and executes that copy. Note: %APPDATA% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %APPDATA% folder for Windows 2000, NT and XP is C:Documents and Settings<user>Application Data; and for Vista is C:Users<user>AppData.
Payload
Steals Sensitive InformationWhen installed the trojan listens to all network traffic looking for traffic associated with an FTP connection. If found the trojan posts the FTP server domain, the username and the password to a remote host. The trojan posts information to the following IP addresses:70.87.136.2 91.203.93.23
Analysis by Ray RobertsLast update 27 March 2009
