Home / malwarePDF  

Trojan:Win32/Cowor.A


First posted on 20 September 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Cowor.A is also known as W32/Chifax!Generic (Authentium (Command), Trojan.MulDrop1.36448 (Dr.Web), Trojan.Win32.Chifrax.d (Kaspersky), Trj/Chifrax.B (Panda), Troj/BadCab-A (Sophos), Trojan.Chifrax.COK (VirusBuster).

Explanation :

Trojan:Win32/Cowor.A is a trojan that appears to run as a computer game named "Rapala Pro Fishing". However in the background it executes TrojanDownloader:Win32/Cowor.A to download other malware.
Top

Trojan:Win32/Cowor.A is a trojan that appears to run as a computer game named "Rapala Pro Fishing" however in the background it executes TrojanDownloader:Win32/Cowor.A to download other malware. InstallationThis trojan may be bundled or installed by other malware. When executed, Win32/Cowor.A drops two files to the temporary folder: %Temp%\IXP<3-digit sequential number>.TMP\Launcher.exe - clean %Temp%\IXP<3-digit sequential number>.TMP\settings.exe - TrojanDownloader:Win32/Cowor.A Both files are removed from the system once Win32/Cowor.A completes its execution. Win32/Cowor.A executes Launcher.exe as a child process and waits for it to terminate before executing settings.exe. Launcher.exe displays this menu when executed: Launcher.exe does not contain malicious behavior. Its menu offers the following options:

  • PLAY - Executes "Bin\Rapala.exe". Rapala.exe is not distributed with Win32/Cowor.A, and the option is grayed out if the PC game is not installed.
  • INSTALL - Executes €œsetup.exe€ and terminates, returning execution control back to Win32/Cowor.A. Setup.exe is not distributed with Win32/Cowor.A, therefore, the first available program named setup.exe in the search path defined by the system variable %path% will be launched.
  • UNINSTALL - Executes msiexec.exe to uninstall a program referenced by the GUID "CCCAA826-D6DE-4FA9-AC5F-73966AA00028".
  • READ ME - Opens "Help\index.html". Index.html is not distributed with Win32/Cowor.A.
  • EXIT - Terminates Launcher.exe.
    • Payload Download arbitrary fileOnce Launcher.exe terminates, Win32/Cowor.A executes "settings.exe". This component launches the default web browser Internet Explorer and injects its code into the launched application to hide its process. It attempts to download and execute a file "DivX.Build.1531.0.exe" from the domain "coco.x10hosting.com". Additional InformationFor more information about TrojanDownloader:Win32/Cowor.A, see the description elsewhere in the encyclopedia.

    Analysis by Shali Hsieh

    Last update 20 September 2010

     

    TOP

    Malware :

    Family: