ViRobot

Security Info

  • Security Center
    • Virus
  • Security Dictionary
  • Security Service
  • Free Download!!

Threats DB

Trojan.Win32.S.Infostealer.55296

Aliases  
Typical Symptoms  
Discovered  [korea] 2014-01-20
 [Foreign] 2014-01-20
Type  Trojan Horse ActiveField  Win32
Destory/Distribution
Origin  others Encryption  NO
Location  None Memory residence  YES
Scan engine needed
-- [Able to detect & repair]
  • Free trial download
Description

[File]

ko.dll (MD5 : E2B7364425133698236EDE46460D1F27, SIZE : 55,296)

 

A. Main symptoms of infection

It collects computer information and sends collected data to a specific email.

 

B. Analysis information

1) It loads APIs that are necessary to run Malicious code.

 

 

2) It collects computer information(e.g. OS version/Product ID/Host name...) and saves the information to the path(%temp%nls303kr.lex)

 

3) It bypasses firewall.

 

 

4) It tries to connect following mail server and login.


- Domain : mail.india.com
- ID : *********@india.com PW : ****************

 

 

5) It reads nls303kr.lex file and encrypts the inside contents.
The encrypted file is saved in the path(%temp%1.pdf).


 

- Decoding logic

 

6) If it succeeds to login, it sends 1.pdf via email.

 

 

7) It downloads files from Email inbox and run the files, but it doesn't download the files currently.

Path: %temp%kmplayer.exe

 


Removal Instructions

[How to repair]

Reparable by ViRobot engine ver.2014-02-13 or above.


List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap