Home / malware Trojan:MSIL/Gillver.A
First posted on 28 September 2011.
Source: SecurityHomeAliases :
Trojan:MSIL/Gillver.A is also known as Trojan.Mail (Ikarus), W32.Shadesrat (Symantec).
Explanation :
Trojan:MSIL/Gillver.A is a trojan that drops and executes other malware detected as Worm:Win32/Cambot.A and Worm:Win32/Ainslot.A.
Top
Trojan:MSIL/Gillver.A is a trojan that drops and executes other malware detected as Worm:Win32/Cambot.A and Worm:Win32/Ainslot.A.
Installation
When Trojan:MSIL/Gillver.A is run, it drops the following executable files:
- %TEMP%\initmailer.exe - Trojan:MSIL/Gillver.A
- %TEMP%\initmail.exe - Trojan:MSIL/Gillver.A
- %TEMP%\cWL.exe - Trojan:MSIL/Gillver.A
- %TEMP%\wmail.exe - copy of non-malicious Microsoft Visual Studios executable "CVTRES.EXE"
- %TEMP%\wmailer.exe - copy of non-malicious Microsoft Visual Studios executable "CVTRES.EXE"
The registry is modified to run the malware components at each Windows start.
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Liver"
With data: "%TEMP%\initmailer.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Add value: "Windows Liver"
With data: "%TEMP%\initmail.exe"
Payload
Executes other malware
Trojan:MSIL/Gillver.A executes the clean files and injects other malware, such as Worm:Win32/Cambot.A or Worm:Win32/Ainslot.A, into the launched processes.
Additional Information
For more information about Worm:Win32/Cambot.A or Worm:Win32/Ainslot.A, see the description in the Microsoft Malware Encyclopedia.
Analysis by Shawn Wang
Last update 28 September 2011
