Home / malware TrojanDropper:Win32/Vidro.C
First posted on 06 July 2010.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Vidro.C is also known as W32/Troj_Obfusc.S.gen!Eldorado (Authentium (, Win32/TrojanDownloader.Small.OXH (ESET), Win32/Vidro.A (CA).
Explanation :
TrojanDropper:Win32/Vidro.C is an obfuscated Win32, 32,768 bytes executable with a self injector which decrypts and reassembles its own file in memory. When run, it attempts to download and execute malicious files from the web.
Top
TrojanDropper:Win32/Vidro.C is an obfuscated Win32, 32,768 bytes executable with a self injector which decrypts and reassembles its own file in memory. When run, it attempts to execute files with the trojan's name and without an extension found in the local directory, this in an effort to possibly represent a stage of an update mechanism. Installation The trojan checks for a mutex with a name "Global<integer number>", where < integer number> is computed based on unique system characteristics (for instance, the computer hard drive's volume serial number). The integer is always the same for an affected computer. If the mutex is already present, the trojan assumes that it is already running and exits. If the mutex is not present, TrojanDropper:Win32/Vidro.C creates the mutex. The trojan then attempts to connect and recover the date and time values, issuing an http request to one of the following domains until successful: www.mozilla.com www.live.com www.aol.com www.download.com www.msn.com www.news.com www.cnn.com www.weather.com www.yahoo.com www.go.com www.hp.com www.bbc.co.uk www.dyndns.org If all requests fail, the trojan assumes that there is no available Internet connection and exits. If, however, the request is successful, it proceeds to download a file from a host with a name constructed from a limited amount of pseudo random sequences of characters preceding the domain name "dyndns.org", for instance: pkbrvcnqrt.dyndns.org Performing this action makes it harder to filter requests at the same time, thus, provided enough attempts are made, the probability of successfully downloading a malicious file is high. TrojanDropper:Win32/Vidro.C stores the downloaded file in the Temporary files folder with a file name generated by a system API call, and executes it. The trojan then terminates its own process.
Analysis by Oleg PetrovskyLast update 06 July 2010