- W32/Naldem-tr is 32bit with a compressed file size
of 6,656 bytes
- Trojan is introduced to the system by visiting
a malicious web page and may exist on an infected
system as "DivX.exe"
- W32/Naldem-eml was sent by a hacker or group of
hackers as spammed emails to various users across
the Internet with a spoofed "from" address
- The text of the email suggested the user view an
electronic greeting card by visiting a hyperlink in
the message - the hyperlink was suggested to be 123greetings.com
however it is actually a user account within the idownline.com
- The index page on that user account contains an
instruction to open a malicious web page in another
- That page (named "p") contains instructions
to open three additional malicious web pages in Iframes
- the pages are hosted at another web address presumably
based in the UK, and the three pages are named "spy",
"in" and "s"
- The page "spy" is a logging script which
logs usage hits to the hosting domain
- The page "in" contains various instructions
- downloads a Trojan binary named "divx.exe" from a web page
- implements an "ADODB.Stream" exploit to write "divx.exe" as a file on the local system
- downloads and executes a Java Applet Trojan in a file named "BlackBox.class"
- using an Object data tag, downloads and runs an HTA file named "ouch.php"
- The page "s" also implements an "ADODB.Stream"
exploit to overwrite Notepad.exe in various subfolders
to maximize the chance of targeting different operating
systems for English Windows - the following files
are targets for being overwritten by W32/Naldem-tr
The Trojan binary file named "divx.exe" is known as W32/Naldem-tr - if this Trojan is run, it will attempt to connect to the Internet and bind with a randomly chosen TCP port
Periodically the Trojan will send a SYN packet to the IP address 126.96.36.199 and request and acknowledgement from the server
The Trojan may connect with that IP address and use a .CGI script to send data to that server possibly as an attempt to log infection statistics as well as the port number chosen
The Trojan may also auto run by modifying the registry as well as create additional registry keys -
"DivX Updater" = C:\WINNT\System32\DivX.Exe
"LastUpd" = (hex values)
"UniqueID" = (hex values)
The "ADODB.Stream" exploit is coded to take advantage of systems not patched against this vulnerability - the exploit is initiated as an ActiveX Object and the code retrieves W32/Naldem-tr as the file "DivX.exe" from a web page and saves it as the following -
"C:\Program Files\Windows Media Player\wmplayer.exe"
The Java Applet Trojan contains an exploit which targets vulnerable systems into running arbitrary code - the code could be subtle such as changing the Internet Explorer start page
The file "ouch.php" contains HTA code to write encoded data to a file on the target system - the encoded data translates into hex code for a 32bit file
The file is saved locally as "divxupdater.exe" and then it is run
- Block access to the following URLs -
- Add the following to email filters for your FortiGate
- Configure email servers to quarantine "tagged" emails and delete as necessary