This Trojan downloads files via the Internet without the user’s knowledge or consent.
It is a Windows PE EXE file. It is written in Borland C++. It has the following components:
The Trojan program (X.EXE) attempts to establish a TCP connection to 220.127.116.11:62324 (18.104.22.168:55512). If a connection is not established within 30 seconds, the Trojan will terminate its process. If a connection is established, the Trojan will create a file called “anyfile.exe” in the current directory, write downloaded data to this file, and then launch the file for execution. The Trojan will then cease running.
The Trojan uses a ZFTP server on port 12345 to download data. When the client component (CLIENT.EXE) is launched, it sends a broadband request to check port 12345. If the address of the computer where the server component (SERVER.EXE) is installed is given as a command line parameter, then a connection will be established to this machine on the designated port. Files will then be downloaded from the server.