This malware is involved in socially-engineered attacks that feature a popular celebrity. It is also part of the LURID malware campaign.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
File size: Varies
File type: RTF
Initial samples received date: 25 Feb 2012
Payload: Drops files
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This Trojan drops the following non-malicious files:
- %User Temp%\word.exe
- %User Temp%\document.doc
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Dropping Routine
This Trojan drops the following files:
- %User Temp%\alg.exe - detected as BKDR_MECIV.LN
- %User Temp%\kernel32.exe - detected as BKDR_MECIV.LN
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It takes advantage of the following software vulnerabilities to drop malicious files:
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
NOTES:
Upon execution, it opens its dropped non-malicious DOC files to hide its malicious routines from the user.
Connect with us on
| | | |