TROJ_DLOADR.XFX - Threat Encyclopedia - Trend Micro

arrow_back search close

• Threat Encyclopedia
• Malware
• TROJ_DLOADR.XFX

TROJ_DLOADR.XFX October 08, 2012

• Email
• Facebook
• Twitter
• Google+
• Linkedin

Analysis by: JessaDALIASES:

TrojanDownloader:Win32/Waledac.C (Microsoft); Mal/Zbot-D (Sophos), Trojan.Gen (Symantec)

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003 OVERALL RISK RATING: DAMAGE POTENTIAL: DISTRIBUTION POTENTIAL: REPORTED INFECTION:

• Threat Type: Trojan
• Destructiveness: No
• Encrypted: Yes
• In the wild: Yes

OVERVIEW

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

TECHNICAL DETAILS

File Size: 20,480 bytesFile Type: PEFile Compression: UPXMemory Resident: YesInitial Samples Received Date: 14 Jan 2011

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://91.200.240.35/vlx777_sdhgjklaogreah.exe

It saves the files it downloads using the following names:

• %Windows%\Temp\_ex-{random numbers}.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

SOLUTION

Minimum Scan Engine: 8.900VSAPI PATTERN File: 7.768.01VSAPI PATTERN Date: 14 Jan 2011VSAPI PATTERN Date: 1/14/2011 12:00:00 AM

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Identify and terminate files detected as TROJ_DLOADR.XFX [ Learn More ][ back ]

1. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
2. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

To terminate the malware/grayware process:

1. Scan your computer with your Trend Micro product and take note of the name of the malware/grayware/spyware detected.
2. Open Windows Task Manager. • For Windows 2000, XP, and Server 2003 users, press CTRL+SHIFT+ESC, then click the Processes tab.
3. In the list of running programs, locate a malware/grayware/spyware file detected earlier.
4. Select the detected files, then press either the End Task or the End Process button, depending on the version of Windows you are using.
5. Do the same for the remaining detected malware/grayware/spyware files in the list of running programs.
6. To check if the malware/grayware/spyware process has been terminated, close Task Manager, and then open it again.
7. Close Task Manager.

Step 3

Search and delete the file detected as TROJ_DLOADR.XFX [ Learn More ][ back ]

To search and delete the malware/grayware file:

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type the name(s) of the file(s) detected earlier.
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, select the file then press SHIFT+DELETE to permanently delete the file.

Did this description help? Tell us how we did.