Since March of 2005, certain security software manufacturers have used the detection Trojan.Mdropper to indicate the presence of a specific type of Trojan on an infected computer. These kinds of Trojans can infect versions of Windows going back to Windows 95!
Once this threat is executed, its own code is simply to load itself into memory and then extract the malware payload and write it to the file system. It may perform any installation procedures and execute the newly dropped malware. The dropper usually ceases to execute at this point as its primary function has been accomplished.
Trojan.Mdropper creates the following file(s):
|1||%UserProfile%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol|
Variants include (but are not limited to) Trojan.Mdropper.Z (Symantec) TROJ_MDROPPER.WR (Trend Micro), Trojan.Mdropper.AA (Symantec), TROJ_MDROPPER.MB (Trend Micro), Trojan.Mdropper.AC (Symantec).
The presence of the following files may also indicate an infection:
summary on china's 2006 defense white paper.doc
This type of threat is used by malware creators to disguise their malware. They create confusion amongst users by making them look like legitimate Microsoft Word or Excel files. They may also perform actions that mislead the user into thinking that nothing untoward is happening on the computer when in fact the Trojan may have already dropped and executed other malicious software.