Trojan that using Microsoft Office component - Word to survive and download additional stuff.
If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).
Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.
Norton Safe Web report
It is getting additional commands looking like this:
VirusTotal report for 2_u.exe
Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.
Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result
All samples, including payload, attached.
If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).
Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.
Norton Safe Web report
It is getting additional commands looking like this:
[info]runurl:_hxxp://www.gynweb.de/forum/customavatars/2_u.e ... 0|backurls:[/info](link obfuscated)
VirusTotal report for 2_u.exe
Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.
Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result
All samples, including payload, attached.
Attachments
pass: malware
(147.77 KiB) Downloaded 127 times
(147.77 KiB) Downloaded 127 times
Ring0 - the source of inspiration