Home / malwarePDF  

TrojanDownloader:Win32/Malushka.T


First posted on 09 February 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Malushka.T is also known as Also Known As:Win32/Pigeon.AZKF (CA), Mal/Emogen-R (Sophos), Trojan-Downloader.Win32.Agent.zfo (Kaspersky), Downloader.gen.a (McAfee), :Trj/Downloader.MDW (Panda), Downloader (Symantec).

Explanation :

TrojanDownloader:Win32/Malushka.T is a trojan that downloads a component that automatically clicks target ads to produce revenue for certain advertisement networks.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %ProgramFiles% phkmgr phkmgr.exe
  • The presence of the following registry modifications:
    Added value: "tphkmgr"
    With data: "%ProgramFiles% phkmgr phkmgr.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun


    • TrojanDownloader:Win32/Malushka.T is a trojan that downloads a component that automatically clicks target ads to produce revenue for certain advertisement networks.

    Installation
    TrojanDownloader:Win32/Malushka.T may drop the clicker component, also detected as Win32/Malushka.T, as the following:%ProgramFiles% phkmgr phkmgr.exe It modifies the system registry so that it automatically runs every time Windows starts: Adds value: "tphkmgr"
    With data: "%ProgramFiles% phkmgr phkmgr.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun

    Payload
    Downloads Clicker ComponentTrojanDownloader:Win32/Malushka.T attempts to connect to "ismys.com" to download its clicker component, which is also detected as TrojanDownloader:Win32/Malushka.T. However, note that the downloaded component may vary. Clicks Target AdvertisementsTrojanDownloader:Win32/Malushka.T clicks on targets advertisements from the following networks: Adbrite
    Adengage
    Adonion
    Ads-Click
    Alexa
    Bidvertiser
    Chanet
    Chitika
    dugohoo
    Globalinteractive
    Infolinks
    Mediashakers
    Oxado
    TTZmedia
    Valueclick
    Widgetbucks Disrupts User Browsing ExperienceTrojanDownloader:Win32/Malushka.T sets a cookie to register its clicks. The trojan uses the currently browsed Web site as the "Referer" in the GET request. The user might also experience a slowdown in network connectivity due to the connections created by this trojan.

    Analysis by Jaime Wong

    Last update 09 February 2009

     

    TOP

    Malware :

    Family: