Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

A malicious drop

Read: 1114 Comments: 2 Rating: 11

Droppers are applications that deploy malware on PCs and other devices.

For example, a program of this kind was used to distribute WannaCry.

WannaCry’s dropper carries a massive, password-protected ZIP archive containing the encrypted ransomware file, Windows Desktop wallpaper containing the cybercriminals’ demands, a list of onion server addresses, and the name of a Bitcoin transaction wallet, as well as another archive with Tor network tools.

The dropper is launched from the worm’s body, installs itself in the system, and then attempts to launch a copy of itself as a randomly named system service. If this attempt is unsuccessful, it is executed as an ordinary application. The dropper’s main task is to save the archived contents on the disk and launch the ransomware.

Dropper - a kind of Trojan that has been designed to "install" some sort of malware (virus, backdoor, etc.) in a target system. The malware’s code can be contained within the dropper (single-stage) in such a way as to avoid being detected by virus scanners or the dropper may download the malware to the target machine once it’s been activated (two-stage).

The Trojan is distributed by a dropper implemented as a Microsoft Excel file with a special built-in macro. The macro assembles and launches a self-extracting archive. The archive contains an executable file with a valid digital signature registered to Symantec and a dynamic library carrying the main Trojan payload.

Here is one day's "catch":



And that's only MulDrop programs!

Droppers can't infect computers on their own. They need to be delivered and launched in a target system.

Trojan.MulDrop6.48664 installs the infamous BackDoor.TeamViewer.49 on computers. However, this time, hackers disguised the dropper as a questionnaire application that was allegedly being distributed by a popular Russian airline.

Similarly to other malware, a dropper can "arrive" in a system via email, over a browser or removable media or be deployed during a remote attack.

It can also be part of another program that will launch it to write data onto a disk. Here is an example.

Droppers exist for many operating systems including Windows, Linux and Android.

The dropper is written in Lazarus (a free, cross-platform IDE for the Free Pascal compiler). Once launched, it displays the following dialog containing a list of devices designed to carry out operations using the Bitcoin cryptocurrency:


Another of the Trojan’s components—a backdoor—is stored within it in an unencrypted format.

Droppers can infect specific applications as well as operating system components.

1C.Drop.1 is written in Cyrillic characters using the 1С accounting software's scripting language.


The Trojan was distributed as an attachment to emails targeting accountants. If the user opened the file in the 1C:Enterprise program, 1C.Drop.1 would send a copy of itself to all of the contractors whose email addresses were specified in the database and then run a dangerous ransomware Trojan.

Apart from installing other malware, droppers perform no other malicious actions, and that makes them particularly dangerous. They can carry out their tasks covertly and then delete themselves.

A dropper, which saves an installer to the disk and runs it, is the first thing launched on an attacked computer. And a BAT file, which is responsible for the dropper’s removal, is simultaneously launched on the machine.

Dr.Web recommends

Droppers are particularly dangerous malicious specimens. Because its activities go unnoticed by users, a dropper can repeatedly infiltrate target systems by exploiting vulnerabilities and removing itself after the system has been infected.

To keep a computer protected from them, vigilance and caution aren't enough. An anti-virus, timely security updates and restricted permissions for installing new software are also required.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.