Win32/MoliVampire [Threat Name] go to Threat

Win32/MoliVampire.A [Threat Variant Name]

Category trojan
Size 10067968 B
Detection created Jul 26, 2012
Signature database version 7332
Aliases Trojan-Downloader.Win32.Agent.urfz (Kaspersky)
  TrojanDownloader:Win32/Tracur.AL (Microsoft)
  Trojan.Downloader5.61015 (Dr.Web)
Short description

Win32/MoliVampire.A is a trojan which tries to download other malware from the Internet. Win32/MoliVampire.A may be spread via peer-to-peer networks.

Installation

When executed the trojan drops in folder %temp% the following file:

  • _132deb6_.ocx

Win32/MoliVampire.A installs the following software:

  • eMule
  • Shareaza
  • Ares

The trojan may create the following folders:

  • %commondocuments%\­Program Files\­eMuleMorphXT
  • %commondocuments%\­Program Files\­Shareobj
  • %commondocuments%\­Program Files\­Aobj
  • %programfiles%\­eMuleMorphXT
  • %programfiles%\­Shareobj
  • %programfiles%\­Aobj
  • C:\­Users\­Public\­AppData
Other information

Win32/MoliVampire.A is a trojan which tries to download other malware from the Internet.


The trojan contains an URL address. It tries to download a file from the address.


The file is stored in the following location:

  • C:\­Users\­Public\­AppData\­eMuleMorphXT\­SourceFile.bin

The archive contains malware files.


The file is copied in the following folders as well:

  • C:\­Users\­Public\­AppData\­eMuleMorphXT\­Incoming\­

The filenames may vary.


This folder is shared folder of various instant messengers and P2P applications.


The trojan creates the following files:

  • %temp%\­_132deb6_.msi

The trojan executes the following files:

  • C:\­Users\­Public\­AppData\­eMuleMorphXT\­conime.exe
  • C:\­Users\­Public\­AppData\­Shareobj\­ctfmon.exe
  • C:\­Users\­Public\­AppData\­Aobj\­ctfldr.exe

The trojan hooks the following Windows APIs:

  • NtDeviceIoControlFile (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.