F-Secure
Tools
Trojan-Downloader:W32/KDV-176347
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
This trojan is disguised as a DOC file. Upon executing the trojan, it will download a document from a remote site (hxxp://www.epof.ru/[...]/document.doc) and display it, furthering the deception that the trojan is legitimate. Below is a screenshot of the document displayed:
In the meantime, the trojan will attempt to download malicious files from the following URLs:
- hxxp://www.epof.ru/[...]/load.php?file=0
- hxxp://www.epof.ru/[...]/load.php?file=1
- hxxp://www.epof.ru/[...]/load.php?file=2
- hxxp://www.epof.ru/[...]/load.php?file=3
- hxxp://www.epof.ru/[...]/load.php?file=4
- hxxp://www.epof.ru/[...]/load.php?file=5
- hxxp://www.epof.ru/[...]/load.php?file=6
- hxxp://www.epof.ru/[...]/load.php?file=7
- hxxp://www.epof.ru/[...]/load.php?file=8
- hxxp://www.epof.ru/[...]/load.php?file=9
- hxxp://www.epof.ru/[...]/load.php?file=uploader
- hxxp://www.epof.ru/[...]/load.php?file=grabbers
At the time of writing, the domain contacted by the malware is blocked by the Browsing Protection feature of our product.