Home / malware TrojanDropper:Win32/Maran.AU
First posted on 27 March 2009.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Maran.AU is also known as Also Known As:Win-Trojan/Maran.348160 (AhnLab), Win32/MaranPWS (CA), Trojan-PSW.Win32.Maran.ld (Kaspersky), W32/Packed_Upack.H (Norman), Trj/Maran.DY (Panda), Troj/Maran-Gen (Sophos), Infostealer.Gampass (Symantec), TSPY_MARAN.ADH (Trend Micro).
Explanation :
Win32/Maran.AU is a trojan that drops and installs other malware, which may be detected as TrojanSpy:Win32/Maran.AT, PWS:Win32/Maran.B, or TrojanSpy:Win32/Maran.gen!B
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
<system folder>odvwer4.dll
%windir%avp.exeThis malware may download other malware, such as TrojanSpy:Win32/Maran.AT, PWS:Win32/Maran.B, or TrojanSpy:Win32/Maran.gen!B. Alerts for these threats may indicate the presence of Win32/Maran.AU in the system.
Win32/Maran.AU is a trojan that drops and installs other malware. It drops the following files in the system:<system folder>odvwer4.dll - detected as TrojanSpy:Win32/Maran.AT %windir%avp.exe - detected as PWS:Win32/Maran.B or TrojanSpy:Win32/Maran.gen!B Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. The dropped EXE file is registered as a service, which may possibly have one of the following name:VideoManagerDown VGADown Win32/Maran.AU then deletes itself once it has performed its malware routine.
Analysis by Dan KurcLast update 27 March 2009
