Downloader-BN.b

This page shows details and results of our analysis on the malware Downloader-BN.b

Download Current DAT: 6618

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2003-06-25

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum DAT

4273 (2003-06-25)

Updated DAT

4273 (2003-06-25)

Minimum Engine

5.1.00

File Length

12,800 Bytes

Description Added

2003-06-25

Description Modified

2003-06-25

Malware Proliferation

Characteristics

-- Update June 25, 2003 --
This threat was updated to a Low-Profiled risk due to media attention at: http://silicon.com/news/500013/1/4853.html

This trojan pretends to be the latest patch from Microsoft and is believed to have been SPAMmed to many users. The format of the message is a follows:

[spam] IMPORTANT!! Critical security hole in Windows!
Dear Windows User! New Windows 9x/2000/NT/XP critical patch has been released. Due to security problems, your system needs to be updated as earlier as possible. You can download an update patch on Windows Update site: http://www.windows-update.com Best regards, Windows Update Group

The URL inside the message is not an official Microsoft site and if visited, the Downloader-BN.b trojan (named UPDATE0932.EXE) is downloaded.

The trojan copies itself as 'REGSVS32.EXE' in to the %Windir% folder.

Many instances of Internet Explorer downloading this file are displayed which results to bringing the machine to a halt.

'UPDATE0932.EXE' is a downloader which retrieves a text file, rq.txt from a remote server. The text file contains a path to another remote file (Note: this path may be modified by the hacker at anytime). This remote file is downloaded and executed.

Since the contents of RQ.TXT may vary, the exact file downloaded is unpredictable. At this time, at least two binaries have been referenced in RQ.TXT:

WINPWR32.EXE - detected as IRC/Flood.co.dr with the 4273 DATs (or greater).
SVSGHOST.EXE - detected as IRC/Sdbot since 4258 DATs.

The downloader trojan hooks system startup by adding one of the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Regsvs Services"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer\Run "0"

Setting them to point to the installed downloader:

%WinDir%\REGSVS32.EXE (12,800 bytes)

Symptoms

Presence of the file REGSVS32.EXE in the Windows directory with an icon typically associated with the Registry Editor:

As the trojan uses remote files, the effects of an infection may vary.

Method of Infection

This trojan connects to a remote website to retrieve a text file, which contains a URL specifying a remote file to download.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations