McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

DownLoader-EG

This page shows details and results of our analysis on the malware DownLoader-EG

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2003-09-20

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4296 (2003-10-01)

Updated DAT

4296 (2003-10-01)

 Minimum Engine

5.1.00

File Length

2,580

 Description Added

2003-09-25

Description Modified

2003-10-06

Malware Proliferation

Characteristics

Upon execution this trojan tries to download a trojan (trojan.exe) from a web site and attempts to execute it. At the time of this description the file trojan.exe, which purpose is currently unknown, is unavailable from the above website.

DownLoader-EG is known to have been distributed from this website using an Internet Explorer vulnerability. A vulnerable browser would download and run the trojan just by visiting the web site.

Note: Spam messages have been observed that try to trick the user to visit the above website. At the time of writing the homepage shows a white empty page with a "This site is temporary unavailable" message, but actually opens 5 more browser windows, each containing a different exploit for different Internet Explorer vulnerabilities. One of these exploits tries to upload and run the Downloader-EG on the visiting system.

Symptoms

New files dropped on the target machine.

Method of Infection

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate.

DownLoader-EG is known to have been distributed from the this website using an Iternet explorer vulnerability. A vulnerable browser would download and run the trojan just by visiting the web site.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

United States - English