TROJ_MDROP.EVL
Posted: August 17, 2012
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 9/10 |
|---|---|
| Infected PCs: | 21 |
| First Seen: | August 17, 2012 |
|---|---|
| Last Seen: | March 24, 2023 |
| OS(es) Affected: | Windows |
TROJ_MDROP.EVL is an aptly-named Trojan dropper that uses Adobe Flash vulnerabilities to install a second Trojan on your computer. Because TROJ_MDROP.EVL's propagation is handled primarily by e-mail file attachments, SpywareRemove.com malware experts note that avoiding suspicious e-mail-distributed files (or scanning them before opening them) should be considered an effective defense against TROJ_MDROP.EVL's attack, which installed a backdoor Trojan. The Trojan that TROJ_MDROP.EVL installs should be considered a high-level security breach to be removed immediately with your choice of anti-malware scanner, since TROJ_MDROP.EVL includes basic backdoor functionality that could allow a criminal-controlled server to take over your PC.
When Flash SWFs Go Wild with TROJ_MDROP.EVL
TROJ_MDROP.EVL is designed to take advantage of the CVE-2012-1535 Flash vulnerability that allows malicious code to run without your consent. This vulnerability applies to versions of Adobe Flash Player prior to 11.3.300.271 (for Windows or Macs) or 11.2.202.238 (for Linux); Flash Players equal to or more recent than these versions can be considered safe. After TROJ_MDROP.EVL is launched, TROJ_MDROP.EVL uses this exploit to install the backdoor Trojan BKDR_BRIBA.EVL.
However, TROJ_MDROP.EVL still has to be launched before TROJ_MDROP.EVL can perform this attack in the first place. Most reports of TROJ_MDROP.EVL attacks originate with mass-mailed e-mail spam that persuades victims to download a file attachment of TROJ_MDROP.EVL (by claiming that the file is some form of benign file, such as an invoice or business report). SpywareRemove.com malware experts also note that TROJ_MDROP.EVL, rather than being a plain Flash file, actually is a Word file with concealed SWF content, and, as such, may appear to be a harmless text file when you try to open it.
Exorcising TROJ_MDROP.EVL's Special Brand of Evil from Your Hard Drive
TROJ_MDROP.EVL's payload, BKDR_BRIBA.EVL, includes functions that allow it to download and launch malicious files without your permission. Since BKDR_BRIBA.EVL also injects itself into memory processes, SpywareRemove.com malware analysts recommend that you use Safe Mode or a USB flash drive-based system boot to prevent BKDR_BRIBA.EVL from compromising the processes of other programs. Once you've disabled BKDR_BRIBA.EVL, any good anti-malware product should be able to delete TROJ_MDROP.EVL and BKDR_BRIBA.EVL in a system scan. Any scans should be sufficiently thorough that they can detect TROJ_MDROP.EVL and BKDR_BRIBA.EVL, as well as any other PC threats that may be installed by either of these Trojans.
The one spot of good news to a TROJ_MDROP.EVL attack is that, as of the time of this article's writing, BKDR_BRIBA.EVL's server appears to be disabled. This may be a case of the relevant authorities having already caught on to BKDR_BRIBA.EVL's attacks and taken appropriate measures to block it from communicating with its C&C components. However, SpywareRemove.com malware experts also note that there's no certainty that future versions of TROJ_MDROP.EVL's payloads will not simply switch to a fresh server.
TROJ_MDROP.EVL's aliases include MSWord/SWFDropper.A!Camelot, Trojan.Mdropper, Exploit:SWF/ShellCode.G and ARC:Embedded.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%User Profile%\Local Settings\~WORDL.tmp
File name: %User Profile%\Local Settings\~WORDL.tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%User Profile%\Application Data\taskman.dll
File name: %User Profile%\Application Data\taskman.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.