Home / malware TrojanDownloader:Win32/Dabvegi.A
First posted on 02 September 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Dabvegi.A is also known as W32/Bancos.G.gen!Eldorado (Authentium (Comma, Trojan.Win32.Cossta.hlm (Kaspersky), W32/Banker.FMMV (Norman), Trojan horse PSW.Banker5.BIFB (AVG), Trojan.Heur.km0@gNqUEKki (BitDefender), Win32/Dabvegi.AG (CA), PWS-Banker!gpb (McAfee), Trojan.Win32.Generic.52276124 (Rising AV), Trojan.Win32.Generic!BT (Sunbelt Software).
Explanation :
TrojanDownloader:Win32/Dabvegi.A is a detection for a trojan that downloads and executes arbitrary files.
Top
TrojanDownloader:Win32/Dabvegi.A is a detection for a trojan that downloads and executes arbitrary files. Infection When executed, the malware creates the following folder:%temp%\mkii\ It then drops and executes a copy of itself as "<malware name>.exe" in this folder. The malware also adds itself to the firewall-authorized applications list; it does this by dropping a randomly named batch file, for example "vdxxonfbk.bat" in the same folder. This batch file runs the following command: netsh.exe firewall add allowedprogram PROGRAM="%temp%\mkii\<malware name>.exe" NAME="lvideo" MODE=ENABLE PROFILE=ALL Note: After downloading, the malware may remove itself from the firewall-authorized applications list. Payload Downloads and executes arbitrary files The malware contacts various domains to download and execute arbitrary files, for example:berlinhanin.org epiaget.com epiaget.com yak1004.wo.to At the time of writing, the malware was seen downloading variants of the Trojan:Win32/Dabvegi family.
Analysis by Ray RobertsLast update 02 September 2010
