Home / malwarePDF  

TrojanDropper:Win32/Malres.A


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Malres.A is also known as Also Known As:Win32/Farfli!generic (CA), :Trj/Lineage.KOQ (Panda).

Explanation :

TrojanDropper:Win32/Malres.A is a trojan that drops another malware, detected as Virtool:WinNT/Malres.A, into the system.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

TrojanDropper:Win32/Malres.A is a trojan that drops another malware into the system. When run, it checks for the following running processes:

  • avp.exe
  • svchost.exe
  • It checks for the presence of the following subkey:
    HKLMSystemCurrentControlSetServicesEnum mpreflt Win32/Malres.A may perform a different routine if the above subkey exists. At the time of this writing, this distinction is unclear. It then drops the following file in the system:
    <system folder>drivers
    esdr32.sys - detected as Virtool:WinNT/Malres.A It then registers this dropped driver by creating the following subkey:
    HKLMSystemCurrentControlSetServices
    esdr32 The device name for the dropped driver is '\.FILEGUARDDOS'. This trojan also creates another process and injects code into it. The injected code may be detected as other malware, such as the following:
  • TrojanDownloader:Win32/Small.FC
  • Backdoor:Win32/Poison.gen!A
  • Backdoor:Win32/Poisonivy.I


  • Analysis by Dan Kurc

    Last update 16 March 2009

     

    TOP