Home / malware TrojanSpy:Win32/Broonject.B
First posted on 04 February 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Broonject.B.
Explanation :
TrojanSpy:Win32/Broonject.B is a trojan that is injected into a hidden instance of Internet Explorer and may communicate with a remote server. The trojan is installed by TrojanDropper:Win32/Broonject.B.
Top
TrojanSpy:Win32/Broonject.B is a trojan that is injected into a hidden instance of Internet Explorer and may communicate with a remote server.
Installation
The trojan is installed by a trojan dropper, detected as TrojanDropper:Win32/Broonject.B. When this trojan dropper is run, it installs TrojanSpy:Win32/Broonject.B by dropping the following files:
- <system folder>\< file name>d.dll - TrojanSpy:Win32/Broonject.B
- <system folder>\< file name>d.exe - TrojanSpy:Win32/Broonject.B
Where <file name> was observed to be "wincfg" or "userdom" (e.g. "userdomd.exe").
TrojanDropper:Win32/Broonject.B launches a hidden instance of Internet Explorer and injects the dropped file DLL component (for example, "userdomd.dll") into that process.
Payload
Communicates with a remote host
This trojan attempts to connect with one of the following remote servers:
- 66.<removed>.132.11
- reg<removed>.puzzleofworld.com
- inf<removed>.puzzleofworld.com
- dat<removed>.puzzleofworld.com
Analysis by Wei Li
Last update 04 February 2012
