Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4287 (2003-08-19) Updated DAT4287 (2003-08-19) |
Minimum Engine
5.1.00 File Length3,072 bytes |
Description Added
2003-08-18 Description Modified2003-08-19 |
Malware Proliferation
Characteristics
This downloader trojan bears strong similarities to a previous version, Downloader-DN. Written in MSVC, potentially suspicious strings within the data section are weakly encrypted.
The downloader trojan has been spammed to many users via email messages with the following characteristics:
Subject: Re[2]: photos
Attachment: PHOTO1.JPG.SRC
The attachment extension is not directly executable on typical machines. Presumably the latter extension was intended to be .SCR.
When run, it displays a fake error message prior to downloading and executing a file from a remote server (URL hardcoded within the downloader trojan).
The remote file is downloaded to the Windows System directory using a filename also hardcoded in the trojan:
C:\WINDOWS\SYSTEM\TMP2334.EXEAt the time of writing, the remote file was a dropper for a password-stealing trojan, PWS-Sincom.dr.
Symptoms
- Presence of the file TMP2334.EXE in the Windows System directory
Method of Infection
The downloader trojan is know to have been spammed to many users via email. A possible error in the filename extension of the email attachment means it is not directly executable on typical machines.
Removal
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Variants