This trojan is hosted on the website
http://www.cad-portal.com/includes/[...].php and executes automatically when the user visits the website.
This trojan downloads a another trojan onto the system. The downloaded trojan steals the user's internet banking information and is detected as
Trojan-Spy.Banbra.RM.ExecutionUpon execution, the trojan creates the file:
This text file contains the text 'olha'.
The trojan then downloads and execute the binary files:
• %windir%\system32\innit226.exe
• %windir%\system32\msnmsgsr.exe
To distract the user from detecting any malicious activity, the trojan also download innocuous-looking files from:
• http://www.paeksan.com/technote/001.jpg
• http://www.paeksan.com/technote/002.jpg
The first JPEG file, 001.jpg, will be renamed to
msnmsgsr.exe; the second JPEG file, 002.jpg, will be renamed to
innit226.exe. Both are renamed using Windows command prompt and stored on
%windir%\system32. As these files share similar names with the malicious binary files, they help camouflage the trojan's activity.
Upon successful execution of the trojan, Internet Explorer will open the page http://www.orkut.com, a social networking site.
This trojan was written in Borland Delphi.