Troj/HlpDrp-B Description

Troj/HlpDrp-B is a malicious file named Amministrazione.hlp (the Italian word for ‘Administration’). Do not be misled by the HLP extension. While files that have this extension are normal Windows Help files, criminals can alter these kinds of files in order to install malware on the victim’s computer. Troj/HlpDrp-B is one of these kinds of booby-trapped HLP files that, when opened, will install a dangerous malware infection on the victim’s computer. First detected in August of 2012, the Troj/HlpDrp-B file is installed on the victim’s computer via a combination of social engineering and malware tactics. ESG security researchers advise computer users to be suspicious of HLP files, especially if they are accompanied by suspicious error messages.

How the Troj/HlpDrp-B Amministrazione.HLP Scam Works

Criminals use social engineering tactics to scam inexperienced computer users into opening Troj/HlpDrp-B and installing the malware component included in this innocuous HLP file. When the file is opened, an error message is displayed. This error message reads:

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

However, while the victim is distracted by this error message, the Troj/HlpDrp-B Trojan will drop a malicious executable file on the victim’s computer. This file is named Windows Security Center.exe and is detected as Troj/DarkDrp-A or Mal/DarkDrp-AT. This executable, in turn, creates a malicious DLL file named RECYCLER.DLL. This malicious DLL file is detected as Troj/Agent-OVJ or as Mal/DarkShell-A. This DLL file is actually a keylogger, a malware infection designed to track all keys pressed on the infected computer’s keyboard.

Understanding the Troj/HlpDrp-B Attack

The DLL component in this malware attack is part of the infamous DarkShell Trojan, which is closely associated with a dangerous botnet known as GhostNet. The goal of the Troj/HlpDrp-B attack is to install the keylogger component in the victim’s computer. Once installed, it will store all keystrokes detected on the infected computer in the UserData.dat file, located in the Application Data directory in Documents and Settings. Once installed, the DLL component will attempt to send the data it captures to a remote server, a domain named images.zyns.com that has been closely associated with various malware attacks. To prevent Troj/HlpDrp-B infections, ESG security researchers advise computer users to be careful when handling HLP files. As you can see, these can be used to deliver malware. Troj/HlpDrp-B in particular jeopardizes your privacy and can place your banking accounts and other personal information at risk.

Type: Trojans

How Can You Detect Troj/HlpDrp-B?

Troj/HlpDrp-B Technical Report

As new Troj/HlpDrp-B details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Troj/HlpDrp-B:

The following fake error message(s) appears for Troj/HlpDrp-B:

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

Troj/HlpDrp-B Removal Details

Troj/HlpDrp-B creates the following files in the system:

• Amministrazione.hlp

Important Article Disclaimer