Home / malware Trojan.Downloader.Gadja.C
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.Gadja.C is also known as Trojan-Downloader.Win32.Obitel.a;, Trj/Agent.JEN;, Win32/TrojanDownloader.Tiny.NDM;, TR/Dldr.Tiny.brm.
Explanation :
When executed, the malware copies original (clean) file %sysdir%/userinit.exe into %sysdir%/userini.exe.
It disables System File Protection, and overwrites %sysdir%/userinit.exe with a copy of itself, in order to be executed on every system start-up.
After it deletes the initially executed copy of itself, the malware drops the file:
%tempdir%ie[hex-digit].tmp, detected as: Trojan.Downloader.Gadja.D.
It starts a new %sysdir%svchost.exe process and injects its code into it in order to bypass firewalls or other security based software.
It also tries to download other malware from the following URL-s, save them to %tempdir%ie[hex-digit].tmp and execute them:
http://fixaserver.ru/[hide]/gate.php?[8-digit-hex-number]http://djaga-djaga.cn/[hide]/gate.php?[8-digit-hex-number]
An example of a malware downloaded file would be Trojan.Peed.JOP.Last update 21 November 2011
