A Trojan that is embedded into running processes of a malicious library using the dll side loading method. It is distributed by the Trojan.MulDrop6.44482 dropper.
It receives a name of the executable file needed to be run and a name of the malicious library. Once the target process is launched, it generates a list of the downloaded components.
Then it removes the following components from the list:
- components from \\KnownDlls or \\KnownDlls32;
- components from a process import table;
The Trojan uses the rest of the components to load the malicious library: it copies the malicious library named as one of the libraries on the list to the folder with a target application and then launches the executable file.