Orz.A Trojan

January 14, 2011

SonicWALL UTM Research team received reports of a new Trojan spreading in the wild. Once on a system it appears to post potential sensitive information to a remote web server. In the background it installs a copy of the "Super Rabbit" system configuration software. The software is installed without user interaction or consent.

The Trojan makes DNS queries to the following hosts:

  • download.youbak.com
  • tj.pctutu.net
  • srtj.pctutu.net

The Trojan makes a request to download a silent installer for the software "Super Rabbit":

  • http://121.15.221.{removed}/soft/113/sr_v9_mini.exe

The Trojan and silent installer make the following modifications to the system:


The Trojan sends potential sensitive information to a remote site using the HTTP POST command:


SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Orz.A (Trojan)