F-Secure
Tools
Trojan-Dropper:W32/Trop.gen!A
Summary
This type of trojan contains one or more malicious programs, which it will secretly install and execute.
Additional Details
Trop is a dropper that is used to encrypt malware with RC4 encryption and hide it in the resource (.rscr) section. The main purpose of this type of dropper is to hide the malware and make the file look less suspicious to scanners.
The functionality is quite simple: the dropper program loads the resource, decrypts it, verifies that the decryption went fine, then executes the decrypted malware as a new process and terminates itself.
Sometimes it hides suspicious API names, such as:
Note
The RC4 key is usually 128bit and is usually located after the encrypted data.
The functionality is quite simple: the dropper program loads the resource, decrypts it, verifies that the decryption went fine, then executes the decrypted malware as a new process and terminates itself.
Sometimes it hides suspicious API names, such as:
- CreateProcess
- NtUnmapViewOfSection
- WriteProcessMemory
- GetThreadContext
- SetThreadContext
- ResumeThread
Note
The RC4 key is usually 128bit and is usually located after the encrypted data.