Threat behavior
Trojan:Win32/Perfcoo.A is a small Trojan downloader. Trojan:Win32/Perfcoo.A may contact a remote Web site and execute a server-side script. This Trojan may be installed or downloaded by other pre-existing Trojans or unwanted software on the infected computer.
Trojan:Win32/Perfcoo.A exists as a dynamic link library disguised under the name hrum???.txt where ??? is a three digit number. The Trojan itself is obfuscated, and does not contain exports. When the Trojan is installed, it is registered to load from the following registry key at Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Each Trojan DLL listed within this value will be loaded by each Microsoft Windows-based application that is running in the current log on session.
Trojan:Win32/Perfcoo.A may open HTTP connections to remote Web sites, requesting a file "p00.php" with various parameters, and may download additional Trojans or unwanted software.
Prevention