What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Dldr.Tiny.brm
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum6B4EF50E3E21205685CEA919EBF93476
Static fileyes
Filesize8,192 Bytes
Alias names
(also known as)
SophosTroj/Agent-HFU
McAfeeGeneric Downloader.ab
CA ETrustWin32/SillyDl.EUC
Side effectsDownloads a malicious file
PropagationNo own spreading routine

Description:

Files

It copies itself to the following location:
• %SYSDIR%\userinit.exe



It renames the following file:

• %SYSDIR%\userinit.exe into %SYSDIR%\userini.exe



It deletes the initially executed copy of itself.

– %TEMPDIR%\%three-digit random character string%.tmp Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Tiny.brm.1




It tries to download a file:

– The location is the following:
• http://fixaserver.ru/**********gate.php**********
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.
Email

It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
One of the following:
• Ihr UPS Paket %random character string%
• UPS Paket %random character string%



Body:
The body of the email is the following:

• Guten Tag,
leider konnten wir ihren Paket gesendet am 01. Juli nicht zustellen, da
die Adresse des Empfangers nicht existiert. Drucken Sie bitte den Lieferschein im Anhang dieser Mail aus,
und holen Sie ihr Paket bei uns ab.

• Dear Sir/Madam,

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS


Attachment:
The filename of the attachment is one of the following:
• UPS_Lieferschein_8102.zp
• ups_invoice.zip

The attachment is an archive containing a copy of the malware itself.

File details

Programming language:
 The malware program was written in MS Visual C++.

Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.