Discovered: April 1, 2004
Updated: October 23, 2009 8:07:32 AM
When Downloader.Psyme runs, it may create the following file, which must be manually executed:
C:\Windows\test.hta.
Note: This function does not occur in all cases, however.
Next, the Trojan sends a GET request to a predetermined URL to download a file.
The GET request may be for any of the following:
- [http://]solaris-maintenance.com/cur/[REMOVED]
- [http://]solaris-maintenance.com/cur/mp.[REMOVED]
- [http://]solaris-maintenance.com/cur/dp.[REMOVED]
The files may or may not be malicious.
Next, the Trojan creates an ADODB Stream object and executes the file(s).
The Trojan may attempt to save the file on the compromised computer.
Since the behavior of this threat varies, registry and start up information is also variable. In some versions, the following files are saved:
- C:\Windows\m.exe
- C:\Windows\mp.exe
- C:\Windows\dp.exe
- C:\Winnt\m.exe
- C:\Winnt\mp.exe
- C:\Winnt\dp.exe
- C:\Windows\uninstl.exe
Note: The paths are hard-coded and not dependent on system variables. This behavior is specific to one instance of this Trojan and may change.
The Trojan may also try to send a confirmation to the download server that the file has been retrieved.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
