TROJ_DLOADER.RFQ

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.



Malware Overview

This Trojan may be downloaded from a certain remote site(s). It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It creates a registry key as part of its installation routine.

It uses the following icon related to Macromedia Flash Player to trick users into thinking that it is a legitimate file:

Upon execution, this Trojan displays the following fake message box to trick unsuspecting users into thinking that it fails to execute:

When a user clicks on the OK button, it connects to several Web sites to alert a remote malicious user.

It drops files that are all detected by Trend Micro as TSPY_BANCOS.ABL.

The said dropped files are then executed, then searches for the folder C:\Arquivos de Programas on the affected system where TROJ_BANKER.PXN is dropped. An error message is then displayed if the said folder is not found. Otherwise, it creates the folder PLUGIN under the folder C:\Arquivos de Programas.

It also drops non-malicious files. As a result, routines of the dropped files are exhibited on the affected system.

Related Items