This trojan is hosted on the website http://www.cad-portal.com/includes/[...].php and executes automatically when the user visits the website. This trojan downloads a another trojan onto the system. The downloaded trojan steals the user's internet banking information and is detected as Trojan-Spy.Banbra.RM.
Upon execution, the trojan creates the file:
This text file contains the text 'olha'.The trojan then downloads and execute the binary files:
To distract the user from detecting any malicious activity, the trojan also download innocuous-looking files from:
The first JPEG file, 001.jpg, will be renamed tomsnmsgsr.exe;the second JPEG file, 002.jpg, will be renamed toinnit226.exe. Both are renamed using Windows command prompt and stored on %windir%\system32. As these files share similar names with the malicious binary files, they help camouflage the trojan's activity.Upon successful execution of the trojan, Internet Explorer will open the page http://www.orkut.com, a social networking site.This trojan was written in Borland Delphi.