| NAME: | Glieder.I |
| ALIAS: | Trojan.Win32.Glieder.i, W32/Glieder.I |
| ALIAS: | TrojanDropper.Win32.Small.kv, TrojanDownloader.Win32.Agent.cj |
Yet another Glieder variant has been spammed. The origin is an
email message sent to many people. The message contains an
attachment named FOTOS.ZIP. Inside the ZIP archive there is an
HTML portion that uses a common exploit to launch an EXE file
named CALC.EXE, which is also located inside the archive.
Once the CALC.EXE file is launched it copies itself to the
Windows System32 directory under the name DORIOT.EXE and adds
Registry keys under:
HKLM\Software\Microsoft\CurrentVersion\Run
HKCU\Software\Microsoft\CurrentVersion\Run
to ensure the trojan is stared upon reboot. A file named
GDQFW.EXE is then dropped onto the Windows System32 directory.
This file is then injected into Explorer.exe process space
through process memory manipulation. The dropper terminates at
this stage.
The injected code from GDQFW.EXE is active while Explorer.exe is
active. It performs various tasks which include monitoring
various security related update programs and terminating them;
checking predefined list of URLs for a particular file and if
present - downloading and executing it. It also manipulates with
cached URLs on the user's machine.
F-Secure Anti-Virus detects Glieder.I starting from the following
update:
[FSAV_Database_Version]
Version=2004-09-01_01
Write-up and Technical Details:
Tzvetan Chaliavski, August 31st, 2004;
Description Updated:
Alexey Podrezov, September 1st, 2004;
F-Secure Corporation
![](/images/pixel.gif"){kind=tracking}
