Home / malware

PDF

Trojan.Generic.2581209

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Generic.2581209 is also known as Glecia, Krap.

Explanation :

The malware is distributed in a zip archive attached to an e-mail which claims to be from "DHL express services".
Glecia cannot propagate itself, so it needs a third party to send the spam.
An e-mail sample follows:

Subject: DHL Express Services. Please get your parcel NR.56449

Headers:
From: "****" <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449

Body:
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Thank you for attention.
DHL Services.

Attachments:
DHL_print_label_582b9.zip (16.23KB)
The archive contains a packed executable which drops a BHO to %SYSTEM%hdvgtueyitf.dll and registers it as "Microsoft Online Helper!" or "Google Accelerator!" with CLSID {CEE2864E-1144-4B8F-9A43-4CEAC4553560}.
When done, the dropper creates and runs a batch file called sys.bat in order to delete itself.
The BHO is a backdoor that can be used by the attacker to take control over the infected computer.

Last update 21 November 2011

 

TOP