Home / malwarePDF  

TrojanDownloader:W97M/Donoff


First posted on 23 January 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:W97M/Donoff.

Explanation :

Threat behavior

Installation

This threat is a malicious macro script for Microsoft Office files. The macro can download and run other malware on your PC.

It can be installed when you open an attachment to a spam email. For example, we have seen this threat attached to the following spam emails in a Word document (.doc file):























We have also seen the email attachment use file names such as:

  • Invoice_007012_4_2015.doc
  • Week_2invoice.doc


Payload

Downloads other malware

The infected .doc files contain a malicious macro script that, when opened, can download and run other malware onto your PC.

The malware uses social engineering tactics to try to get you to enable macro scripting when you view the document, as macro scripts are usually disabled by default in Microsoft Office.

We have seen the malware uses the following fake warnings in an attempt to get you to enable macros:













Once macros are enabled we have seen this threat contact the following URLs to download files, including malware:

  • adobe-support.us/.exe
  • bluefile.biz/files/.exe
  • bringbackourgals.biz/php//ken.exe
  • bustedrubberbabies.com/js/.exe
  • chinamanwoody.com/.php
  • chopsecurity.ru/microsoft/word/.com
  • climate54.ru/modules/mod_araticlhess/.php
  • colfdoc.it/cart/.exe
  • datnigga.website/.exe
  • dhanophan.co.th/js/.exe
  • getimgdcenter.ru/.png
  • goldriverlinedancers.nl/components/dancers/.exe
  • goo.gl/
  • www.hohlik001.nazwa.pl/.exe
  • iloveberniemovie.ru/.png
  • internetincomeengine.net/.exe
  • joeniclesd.hostingsiteforfree.com/.exe
  • legendarydownloads.com/.exe
  • managercomponent.usa.cc/errors/.0.exe
  • offshorebags.asia/.exe
  • omc.hostingsiteforfree.com/.exe
  • papeleriaelcid.com/aurora/ajax/.exe
  • rghost.net/download/57465888/967d4c206f2a944160ffcc0f2b889f90a506653d/.exe
  • s1.directxex.net/uploads/
  • socialnetchat.tk/uch/.exe
  • u.to/


The downloaded malware is usually saved and run from %APPDATA% or %TEMP%. For example we have seen malware saved to the following locations:

  • %APPDATA% \fdataupdate.com
  • %APPDATA% \VTAYOVKKIET.exe
  • %TEMP% \1101.exe
  • %TEMP% \8fvk.exe
  • %TEMP% \enu.exe
  • %TEMP% \HZLAFFLTDDO.exe
  • %TEMP% \msml.exe
  • %TEMP% \NYHEFLJDPZR.exe
  • %TEMP% \sentinel.exe
  • %TEMP% \xml.exe
  • %USERPROFILE% \EPGRE.exe
  • %USERPROFILE% \fkjhlkj23.com
  • %USERPROFILE% SHIPA.exe
  • C:\JGSNUWKJRFC.exe


We have seen the following threats being downloaded:

  • Backdoor:Win32/Fynloski.A
  • Backdoor:Win32/Vawtrak
  • Ransom:MSIL/Swappa.A
  • Ransom:Win32/Teerac.A
  • TrojanDownloader:Win32/Drixed.A
  • Worm:Win32/Gamarue




Analysis by Ric Robielos

Symptoms

The following can indicate that you have this threat on your PC:

  • You open an email attachment and see the following warning in the document:






Last update 23 January 2015

 

TOP

Malware :