Home / malware Trojan:Win32/Ilomo.gen!A
First posted on 07 March 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Ilomo.gen!A is also known as Also Known As:Win32/Ilomo.AZ (CA), :Bck/Agent.LQM (Panda), Troj/Agent-IFG (Sophos), Trojan.Generic.949710 (BitDefender), Trojan-Downloader.Win32.Agent.aoth (Kaspersky), Trojan.Clampi (Symantec).
Explanation :
Trojan:Win32/Ilomo.gen!A is a trojan that may arrive in a system by being dropped by another malware. It injects code into an Internet Explorer process and connects to various Web sites, possibly to download other malware components.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). Because TrojanDropper:Win32/Ilomo may arrive with another associated threat, the presence of TrojanDropper:Win32/Ilomo may also be a symptom of this threat.
Trojan:Win32/Ilomo.gen!A is a trojan that may arrive in a system by being dropped by another malware. It injects code into an Internet Explorer process and connects to various Web sites, possibly to download other malware components.
Installation
Upon execution, TrojanDropper:Win32/Ilomo drops Trojan:Win32/Ilomo.gen!A into the user's Application Data folder using one of the following file names: dumpreport.exe
msiexeca.exe
svchosts.exe
upnpsvc.exe
service.exe
taskmon.exe
rundll.exe
helper.exe
event.exe
logon.exe
sound.exe
lsas.exe Note that these file names are similar to the file names used by legitimate system processes (such as 'lsass.exe', 'svchost.exe', and 'services.exe'). The dropper also modifies the system registry so that Win32/Ilomo.gen!A automatically runs every time Windows starts: Adds value: "<value>"
With data: "%AppData%<malware name>"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun where <malware name> is one of the above possible file names and <value> is one of the following: CrashDump
svchosts
EventLog
TaskMon
Windows
RunDll
System
Setup
Sound
lsass
UPNP
Init
Payload
Connects to Web SitesTrojan:Win32/Ilomo.gen!A launches 'iexplore.exe' and injects code to this process. It may connect to various Web sites, such as 'webmail.re-factoring.cn', to download additional malware components.
Analysis by Andrei Florin SaygoLast update 07 March 2009
