Home / malware Trojan.Downloader.6588.E
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.6588.E is also known as AdWare.Win32.Stud.A, Win32/Adware.BHO.AA, WebPrefix.A, Trojan.Downloader.CGU, W32/Downloader.MNI.
Explanation :
This malware is a Browser Helper Object (BHO) which:
Is located in %SYSTEM%\%SOME_NAME%.dll (eg. nvrspl32.dll, swprv32.dll, mprddm32.dll, ulib32.dll, dmintf32.dll, netos32.dll, ruipxmib.dll, etc) Connects to http://axload.to/..., sending information about the computer, such as the version of the Operation System and Service Pack version. Downloads encrypted components/updates from that website, decrypts the data and injects it into explorer.exe and then executes it (typically, the resulted data is an executable file packed with UPX, having the size 35Kbytes). Displays commercial advertisements and redirects the web browser to various porn sites. Changes the Startpage of Internet Explorer to various sites.Note: %SYSTEM% is usually C:WINDOWSSYSTEM32 (WinXP), C:WINNTSYSTEM32 (Win2000, NT) or C:WINDOWSSYSTEM (Win9x).Last update 21 November 2011