Trojan-Downloader:W32/Streedom.A arrives to the system as an embedded binary executable file from within a malicious .RTF file, which is detected as Trojan:W97M/Streedom.A.
Upon execution of the embedded file, it will drop a copy of itself in the following path and file name:
To enable automatic execution upon boot up, Trojan-Downloader:W32/Streedom.A adds the following auto start registry entry:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run linkyuu = %sysdir%\linkuyy.exe
Trojan-Downloader:W32/Streedom.A creates this file and then deletes it again:
Note: this is a hard coded string
Trojan-Downloader:W32/Streedom.A uses the default Internet Browser installed on the system to download Trojan-Dropper:W32/Streedom.A. In order to do this, it creates a process for the browser and then injects itself. Afterwards, it will remotely trigger a thread that contains the main payload, which is the download routine.
Trojan-Downloader:W32/Streedom.A will only start downloading if an Internet Connection is available. Internet availability is checked by establishing a connection to the following site:
If an Internet connection is unavailable, it will infinitely try establishing a connection every 10000 ms or 10 seconds.
Here is the URL from where it downloads Trojan-Dropper:W32/Streedom.A:
The downloaded file is saved and executed in the following path and filename:
The creator of this malware uses message boxes to debug this program.
This message box for instance, shows up when it fails to launch a process of the default browser:
Here are more of the other message boxes:
This malware has been packed with FSG 2.0.