Troj/DarkDrp-A Description

The Troj/DarkDrp-A Trojan is the second component in a malware attack that involves attacking a computer through a social engineering scam that initiates with a HLP file, that is, a fake Windows Help file. Criminals have found to use these Windows Help files in order to install malicious executable files on the victim’s computer. For example, a malicious HLP file detected in August of 2012 known as Troj/HlpDrp-B will cause the infected computer to display a misleading error message while Troj/HlpDrp-B installs Troj/DarkDrp-A in the background. This malicious HLP file, named ‘Amministrazione.hlp’ (Italian for ‘Administration’) is a novel way of delivering malware into a victim’s computer.

The Malware Attack that Includes the Troj/DarkDrp-A Component

Troj/DarkDrp-A is part of a multi-component malware attack that also includes a social engineering approach in order to convince computer users to open what seems to be a safe Windows Help file. However, when this file is opened, it will force the victim’s computer to display an error message reading:

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

This error message is designed to distract the victim. While the victim is reading this error message, the Troj/DarkDrp-A component is dropped in the background. Troj/DarkDrp-A takes the form of an executable file that is named Windows Security Center.exe. This malicious executable file will install a keylogger component on the victim’s computer, in the form of a malicious DLL file. Detected as both Troj/Agent-OVJ or Mal/DarkShell-A, this dangerous DLL file will keep track of the victim’s activity on the infected computer in order to steal important data, which may include credit card numbers, email passwords, and online banking data.

The Goal of a Troj/DarkDrp-A Infection

Once installed, the malicious keylogger will keep track of all activity on the victim’s computer, storing all keystrokes on a fake UserData file in the Documents and Settings directory. The malicious DLL will attempt to send this information to the remote host images.zyns.com, known to be linked to malware attacks. It is important to be suspicious of HLP files. While Windows Help files are generally considered safe, they can be altered to install malware such as Troj/DarkDrp-A on the victim’s computer.

Type: Trojans

How Can You Detect Troj/DarkDrp-A?

Troj/DarkDrp-A Technical Report

As new Troj/DarkDrp-A details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Troj/DarkDrp-A:

The following fake error message(s) appears for Troj/DarkDrp-A:

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

Troj/DarkDrp-A Removal Details

Troj/DarkDrp-A has typically the following processes in memory:

• Windows Security Center.exe

Important Article Disclaimer