Login or Register to Ask a Question and Join Our Community


Malware Advisories (RSS)

Troj_patch.cd

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Malware Advisories (RSS) Troj_patch.cd
# 1  
Old 01-11-2008
Troj_patch.cd
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

ImageMalware Overview
This is the Trend Micro detection for a normal file IEXPLORER.EXE that gets inserted with a malicious code
Its characteristic is similar to PE_HUNK variants. However, unlike PE_HUNK this Trojan does not infect *.EXE files.
It deletes the file %Systemdir%\dllcache\iexplore.exe. It renames the copy of itself %User_Temp%\ore.exe using the name of the deleted file. It then replaces the deleted file.
It creates a backup original copy of the file %ProgramFiles%\Internet Explorer\iexplore.exe and saves it as %User_Temp%\~0re.tmp.
Afterwards, it replaces the original file %ProgramFiles%\Internet Explorer\iexplore.exe with the malware copied file %Systemdir%\dllcache\iexplore.exe. As a result, the malware is unknowingly used everytime a user accesses the Internet.
It connects to certain URLs that can be used in transmitting system information and possibly enable it to update a copy of itself.
However, the said links are currently inaccessible of this writing.


More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question