Home / malware TrojanDropper:Win32/Tarcloin
First posted on 21 December 2012.
Source: MicrosoftAliases :
TrojanDropper:Win32/Tarcloin is also known as Troj/Meredro-H (Sophos), Trojan.Coinbit.13 (Dr.Web), Trojan.VB2 (Ikarus), Win32.Asim.a (Rising AV).
Explanation :
Installation
You may download TrojanDropper:Win32/Tarcloin, thinking it is a legitimate game launcher for certain popular games, such as The Sims 3 and Assassin's Creed III. However, when run, the launcher will also drop Trojan:Win32/Tarcloin.A, Trojan:Win32/Tarcloin.B and Trojan:Win32/Tarcloin.A!cfg without your knowledge.
The game launcher uses the following icons:
Payload
Drops other malware
When run, TrojanDropper:Win32/Tarcloin drops the files "winmgr.exe" and "wlnlog.exe" into any one of the following folders:
- %appdata%\bittorrent dna
- %appdata%\identities
- %appdata%\Windows Live Writer
These files are detected as Trojan:Win32/Tarcloin.A, Trojan:Win32/Tarcloin.B and Trojan:Win32/Tarcloin.A!cfg - trojans that use your computer's resources to mine "BitCoins" for the malware authors. BitCoins are used as a digital currency.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".
When dropped, Trojan:Win32/Tarcloin.A and Trojan:Win32/Tarcloin.B modify the following registry entry to ensure that their copies run at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Integrated Driver"
With data: "<malware file name and location>", for example "C:\Documents and Settings\<user>\Application Data\bittorrent dna\winmgr.exe"
Related encyclopedia entries
Trojan:Win32/Tarcloin.A
Trojan:Win32/Tarcloin.B
Trojan:Win32/Tarcloin.A!cfg
Analysis by Mihai Calota
Last update 21 December 2012
