W32/Bombka.D!tr

Analysis

W32/Bombka.D!tr - 06-04-04

General Info:

This threat is a "PE" executable file

Network/Internet:

• It spreads through: mass-emailing
• Other Payloads: Listen on incoming ports

Files:

• Drop files: ".exe" + ".dll"

Installation to System:

• When run, it copies itself to:
  It does not copy itself on the system.
• Drops the following files:
  It drops the file "game1.exe" in the user's temporary folder (e.g. c:\Document and Settings\[UserName]\Local Settings\Temp). It also drops the file kaboom.dll in the undefinedSYSTEMundefined folder.

Spreading in e-mails:

• Emails it generates use the following subjects:
  - prendete una pausa... - un attimo di relax
• Emails it generates use the following attachment names::
  - darts-freccette.exe

More Info:

This trojan drops a darts game file in the user's temporary folder and launches it. At the same time, it drops the file kaboom.dll in the undefinedSYSTEMundefined folder and opens a backdoor. It also adds some registry entries to load the malicious dll file upon startup.