Home / malware TrojanDownloader:Win32/Dalexis.A
First posted on 26 November 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Dalexis.A.
Explanation :
Threat behavior
Installation
This threat can be downloaded when you open a spam email attachment. We have seen the attachment use the following file names:
- economizers_2014-09-22-10-15-42_63357391537.arj
- item_2014-09-02_12-59-15_90936603418.arj
- item_2014-09-03_10-01-56_96088208293.arj
- order_2014-08-27_11-30-20_92103382498.zip
- pronouncing_2014-09-15_14-59-20_QN9H3J.arj
- pronouncing_218826814281517_8TQZ161.rar
- sale_2014-08-27_10-59-26_96881014023.zip
- sale_2014-09-02_14-45-02_32594437599.arj
- statement_622653241052904_5T38CL3.rar
When you open the attachment the malware runs. It installs the following file onto your PC:
- %TEMP% \temp_cab_
.cab, for example %TEMP%\temp_cab_293703.cab
The malware also shows you an image similar to the following:
Payload
Downloads updates and other malware
The malware checks for an internet connection by connecting to clean website such as windowsupdate.microsoft.com. It then connects to hardcoded remote host to download other malware, for example:
- Alphatop.fr/graph/
.tar.gz - carhiresoft.com/img/
.tar.gz - creapoint.ch/stats/
.tar.gz - lemasdepouzoulou.com/cmsms/doc/
.tar.gz - le-rucher-de-la-grocha.fr/images/
.tar.gz - salvatoreguadagno.com/_ss/
.tar.gz
We have seen this threat download updates as well as other threats from the following malware families:
- Win32/Vawtrak
- Win32/Zbot
Analysis by Patrick EstavilloSymptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%TEMP%\temp_cab_.cab, for example%TEMP%\temp_cab_293703.cab.
- You see this image on your PC:
Last update 26 November 2014
