Home / malware TrojanDownloader:Win32/Camec.J
First posted on 10 February 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Camec.J.
Explanation :
TrojanDownloader:Win32/Camec.J is a trojan that connects to a remote server in order to download and execute other malware.
Top
TrojanDownloader:Win32/Camec.J is a trojan that connects to a remote server in order to download and execute other malware.
Installation
Variants of TrojanDownloader:Win32/Camec.J employ social engineering techniques to entice users into running it. It may arrive with an icon resembling an Adobe PDF document. It may have an .EXE or .SCR extension, similar to the following:
Upon execution, TrojanDownloader:Win32/Camec.J drops itself in the following path:
%TEMP%\282012
It then displays the following error message:
Payload
Checks for the presence of GBPlugin
TrojanDownloader:Win32/Camec.J checks for the presence of "GBPlugin", a Brazilian online-banking protection software. If any of the following files are found in the computer, TrojanDownloader:Win32/Camec.J stops running:
- %ProgramFiles%\GbPlugin\bb.gpc
- %ProgramFiles%\GbPlugin\cef.gpc
- %ProgramFiles%\GbPlugin\uni.gpc
Downloads and executes arbitrary files
TrojanDownloader:Win32/Camec.J connects with a hardcoded user name and password to a database hosted in "bprog.db.<removed>2224.hostedresource.com". It then downloads another malware, detected as a variant of Trojan:Win32/Camec, as the following file:
%USERPROFILE%\Application Data\winturs.dll
It then installs the downloaded file as a Browser Helper Object.
Analysis by Horea Coroiu
Last update 10 February 2012
