Home / malwarePDF  

TrojanDownloader:Win32/Chymine.A


First posted on 23 July 2010.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDownloader:Win32/Chymine.A.

Explanation :

TrojanDownloader:Win32/Chymine.A is a trojan that can download other malware and record the user's keystrokes. It consists of several components: an .EXE component and a .DLL component. It may be installed by Exploit:Win32/CplLnk.A.
Top

TrojanDownloader:Win32/Chymine.A is a trojan that can download other malware and record the user's keystrokes. It consists of several components: an .EXE component and a .DLL component. It may be installed by Exploit:Win32/CplLnk.A. Installation TrojanDownloader:Win32/Chymine.A may be installed in the computer by other malware, such as Exploit:Win32/CplLnk.A. Upon execution, it checks if its file name is "explorer.exe". If this is not the case, it terminates itself. It downloads the following file:

  • bin.exe - also detected as TrojanDownloader:Win32/Chymine.A
    • It downloads this file from the following IP address:
  • 205.209.171.119
    • The downloaded file is saved as the following:
  • %APPDATA%\conime.exe
    • The downloaded file is then executed. It drops a .DLL component as the following:
  • %Temp%\..\<six random characters>.dll (for example, "BB062E.dll") - also detected as TrojanDownloader:Win32/Chymine.A
    • This .DLL component may register itself as a system service that is loaded by the legitimate Windows process "svchost.exe". It may also inject code into other system processes, such as "winlogon.exe". Payload The .DLL component of TrojanDownloader:Win32/Chymine.A is capable of performing the following malicious actions:
  • Record keystrokes
  • Download other malware
    • Additional information TrojanDownloader:Win32/Chymine.A copies the following legitimate Windows file to a different location:
  • <system folder>\rundll32.exe -> %Temp%\..\<six random characters>.exe (for example, "BB062E.exe")
    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

    Analysis by Tim Liu

    Last update 23 July 2010

     

    TOP

    Malware :

    Family: