November 14, 2012
Trojan.DownLoader7.21125 is a primitive program whose body contains an unencrypted site URL used to redirect users to another website from which Trojan.DownLoader7.21125 receives a list of addresses for the subsequent downloading of malicious applications. When trying to connect to a control server via HTTP, a web page appears in the browser window and prompts the user to enter their login and password.
Currently Trojan.DownLoader7.21125 downloads and installs onto the infected computer a bitcoin mining program, repacked copies of itself, as well as the following malware:
- BackDoor.Andromeda.22, a widespread Trojan downloader that also can download other malware and install it on the infected computer.
- Trojan.Rodricter.21, a multi-component rootkit whose dropper is equipped with anti-debugging features. It exploits OS vulnerabilities to elevate its privileges. It also disables UAC both in 32- and 64-bit versions of Windows. It changes Mozilla Firefox and Internet Explorer settings. The main function of its core module is to intercept traffic on the infected PC.
- Trojan.PWS.Multi.879, a malicious program that can steal passwords stored by a number of popular applications, including ICQ, Yahoo! Messenger, FTP Commander, Paltalk, AIM, Google Talk, MSN Messenger, Miranda and Trillian.
- BackDoor.HostBooter.3, a program designed to perform DDoS attacks, as well as download and run files upon a corresponding command from a control server.
All these threats are detected by Dr.Web anti-viruses. Trojan.DownLoader7.21125 can be downloaded to a PC by other malicious applications or get into a system another way including by exploiting browser vulnerabilities. The main danger lies in the program's ability to quickly turn the infected system into a congregation of many other malicious programs. Doctor Web recommends that users keep the virus definitions of their anti-virus programs up to date to maintain reliable system security.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.