Home / malware Trojan.Dmservinf.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Dmservinf.A is also known as Trojan:win32/Mesoum.A, Trj/Multidropper.ROM, TR/Patched.BU.6.
Explanation :
When the executable part of this trojan is ran it drops a dynamic library file in the temp directory of the current user. This dll has a random name such as 97a2ljq.tmp. The executable also infects a dll located in system32 directory and makes it load the malicious file it dropped before. After this it uses an export from the dropped dll to delete itself.
Once it is loaded, the malicious dll tryes to close services belonging to some av products, it infects other dlls in the system32 directory to load the malware and it downloads other malicious files from locations such as:
* http://www.adobeliveupdates.net/flash/rVGc...K26474/JVBMO6KVF9oF.asf
* http://www.adobeliveupdates.net/flash/rVG...CK26474/JVBMO6KVF9oF.gif
* http://www.msmsnliveupdates.net/Script/Xp...Gp11449/CjGBFgSSVJrxJ.bmp
* http://www.msmsnliveupdates.net/Script/Xp...Gp11449/CjGBFgSSVJrxJ.mp3
* http://www.msmsnliveupdates.net/flash/rVG...GCK26474/JVBMO6KVF9oF.asf
* http://www.msmsnliveupdates.net/flash/rVG...K26474/JVBMO6KVF9oF.gifLast update 21 November 2011
