McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Downloader-BW.h

This page shows details and results of our analysis on the malware Downloader-BW.h

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2003-11-07

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4303 (2003-11-12)

Updated DAT

4363 (2004-05-26)

 Minimum Engine

5.1.00

File Length

2,560 bytes

 Description Added

2003-11-07

Description Modified

2003-11-07

Malware Proliferation

Characteristics

This purpose of this trojan is simply to download a file from the Internet and execute it. At the time of this writing, the trojan downloaded another trojan (detected with the specified engine/DATs as Sprocit trojan).

This downloader is known to have been spammed out to users in the following email:

Subject: I WAS SHOCKED!
Body :
Hi Greg its Wendy! :)

I was shocked when I found out that it wasn't you but your twin brother, that's
amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9. He took my skirt off, then my panties, then my bra, he sucked my t**s with the same fury you do it. He was writing alphabet on my p***y for 20 minutes, then suddenly stopped, put me in d***y style position and stuck his dagger. But Greg, why didn't you warn me that his d**k is 15 inches long? I was struck, we f***ed whole night. I'm so thankful to
you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting..

Atachment: photo0001.asp.scr

When the downloader is run, nothing is displayed on the user's screen. The downloader trojan attempts to connect to a remote server and download a remote file, saving it locally as:

C:\TMP638.EXE

The downloader trojan then executes this file.

Note: The remote website is purposefully omitted as it would lead users to the trojan files .

Symptoms

Existence of the file C:\TMP638.EXE.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, SPAM email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

United States - English