Win32/MoliVampire [Threat Name] go to Threat
Win32/MoliVampire.A [Threat Variant Name]
| Category | trojan |
| Size | 10067968 B |
| Aliases | Trojan-Downloader.Win32.Agent.urfz (Kaspersky) |
| TrojanDownloader:Win32/Tracur.AL (Microsoft) | |
| Trojan.Downloader5.61015 (Dr.Web) |
Short description
Win32/MoliVampire.A is a trojan which tries to download other malware from the Internet. Win32/MoliVampire.A may be spread via peer-to-peer networks.
Installation
When executed the trojan drops in folder %temp% the following file:
- _132deb6_.ocx
Win32/MoliVampire.A installs the following software:
- eMule
- Shareaza
- Ares
The trojan may create the following folders:
- %commondocuments%\Program Files\eMuleMorphXT
- %commondocuments%\Program Files\Shareobj
- %commondocuments%\Program Files\Aobj
- %programfiles%\eMuleMorphXT
- %programfiles%\Shareobj
- %programfiles%\Aobj
- C:\Users\Public\AppData
Other information
Win32/MoliVampire.A is a trojan which tries to download other malware from the Internet.
The trojan contains an URL address. It tries to download a file from the address.
The file is stored in the following location:
- C:\Users\Public\AppData\eMuleMorphXT\SourceFile.bin
The archive contains malware files.
The file is copied in the following folders as well:
- C:\Users\Public\AppData\eMuleMorphXT\Incoming\
The filenames may vary.
This folder is shared folder of various instant messengers and P2P applications.
The trojan creates the following files:
- %temp%\_132deb6_.msi
The trojan executes the following files:
- C:\Users\Public\AppData\eMuleMorphXT\conime.exe
- C:\Users\Public\AppData\Shareobj\ctfmon.exe
- C:\Users\Public\AppData\Aobj\ctfldr.exe
The trojan hooks the following Windows APIs:
- NtDeviceIoControlFile (ntdll.dll)