Home / malwarePDF  

Trojan:Win32/Arpove.A


First posted on 29 October 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Arpove.A is also known as Backdoor.Win32.Delf.ukq (Kaspersky), W32/Delf.FGXO (Norman), Backdoor.Delf.FREG (VirusBuster), BackDoor.Generic13.COJ (AVG), BDS/Delf.ukq.6 (Avira), Backdoor.Generic.475163 (BitDefender), BackDoor.Siggen.26402 (Dr.Web), Win32/Delf.NWU (ESET), Trojan-Dropper.Delf (Ikarus), Generic.dx!uej (McAfee), Troj/Delf-FFQ (Sophos), Trojan.Win32.Generic.pak!cobra (Sunbelt Software).

Explanation :

Trojan:Win32/Arpove.A is a trojan that steals sensitive information from the infected computer, as well as monitor the user' s activities.
Top

Trojan:Win32/Arpove.A is a trojan that steals sensitive information from the infected computer, as well as monitor the user' s activities. Installation Upon execution, Trojan:Win32/Arpove.A drops the following DLL file, which contains the main payloads: %APPDATA%\kdsrdi.dll Note: %APPDATA% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Application Data folder for Windows 2000 and C:\Documents and Settings\<user>\Application Data; and for XP, Vista, and 7 is C:\Users\<user>\AppData\Roaming. It then creates the following registry entries so that this DLL is loaded at each Windows start, when the ERSvc (a error reporting process) service is loaded: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Parameters Sets value: "ServiceDll" With data: "%APPDATA%\kdsrdi.dll" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ERSvc Sets value: "LinksName" With data: "s2" Payload Steals sensitive information Trojan:Win32/Arpove.A steals sensitive information from the infected system and installs a hook procedure to monitor the user's activities. It steals system information such as:

  • System IP address
  • User name
  • CPU type
  • Windows Version
  • Amount of memory on the system
  • The trojan also installs a hook procedure that logs key strokes and mouse clicks entered by the user, as well as window titles of applications running on the system. Win32/Arpove.A may save this information to the file %APPDATA%\mslog.dat and send it to a remote host.

    Analysis by Amir Fouda

    Last update 29 October 2010

     

    TOP