Home / malwarePDF  

TrojanDownloader:W97M/Bartallex.A


First posted on 04 March 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:W97M/Bartallex.A.

Explanation :

Threat behavior

Installation

This threat is a malicious macro that can be embedded in a Microsoft Word file. When you open the malicious file, Microsoft Word should show you a security notification to ask whether you want to enable macros. If you enable macros, this threat will run.

We have seen this threat spread in a Word file that is attached to spam emails as a .doc file. See the spam email samples below:







The attached file has a random name, for example:

  • invoice_723961.doc
  • legal_complaint.doc
  • logmein_coupon.doc
  • receipt_3458934.doc


Payload

Downloads other malware

The infected .doc file contains a malicious macro script that, when opened, can download and run other malware onto your PC.

The malware uses social engineering tactics to try to get you to enable macro scripting when you view the document, as macro scripts are usually disabled by default in Microsoft Office.

We have seen the malware uses the following fake warning in an attempt to get you to enable macros:



If macros are enabled, the malicious Visual Basic Application (VBA) macro runs when the attachment is opened. It immediately downloads other malware from a remote server. We have seen it download malware from the following servers:

  • 91..131.49/upd/install.exe
  • 91..131.49/upd2/install.exe
  • st.eu/wp-content/plugins/wp_add/god.exe


The downloaded file is usually saved and run from %TEMP% using a random file name, for example %TEMP%\4444.exe.

We have seen this threat download the following malware:

  • TrojanDownloader:Win32/Chanitor.A - malware that can install Backdoor:Win32/Vawtrak.F
  • TrojanSpy:Win32/Ursnif.gen!R - a trojan family that tries to steal your sensitive information


We have also seen this threat download a clean PNG image file and saves it with a random file name, for example %TEMP%\savepic.su\5123965.png.



Analysis by Rex Plantado

Symptoms

The following can indicate that you have this threat on your PC:

  • You have received an email that looks like this:





  • You have opened a Microsoft Word file similar to this:





Last update 04 March 2015

 

TOP