McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Downloader-IU

This page shows details and results of our analysis on the malware Downloader-IU

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2004-04-01

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4349 (2004-04-07)

Updated DAT

6138 (2010-10-16)

 Minimum Engine

5.1.00

File Length

Varies

 Description Added

2004-04-01

Description Modified

2004-05-23

Malware Proliferation

Characteristics

This detection is for a downloading trojan known to have been spammed to many users on several occasions.  The latest of which occured on May 23, 2004 in a message as follows:

--
From:  cosmo [cosmo@nic.fi]
Subject: International Virtual Greetings Center
Body:

Congratulations! You've recieved a postcard from your mom!
 
"I Sent the Sun"
 
Picture attached.
 

========
 
International Virtual Greetings Center www.freegreetings.com

Attachment: Picture.zip (containing report.pif)
--

May 16, 2004 spamming

From: sales [sales@haomatong.net]
Subject: Re: Payment approved (invoce #5997)
Body:

Dear customer! Thank you for shopping with us!
 
Sales department approved your payment, you will be billed
within 2 days. Shipping UPS ground insured.
 
See the attached file for details. (report # 5986)

Attachment: REPORT.ZIP (Zip file containing REPORT.EXE)

Other mass mailings include the following message:

From: support (support@the-body-shop.com) this may change
Subject: Re: item purchase
Body:

Thank you for shopping with us!
See the attached file for details.

Best Regards!

Attachment: DETAILS.ZIP (Zip file containing DETAILS.EXE)

The trojan exists only to download and execute a remote file (path to which is stored in the trojan). Access to the following domains should be blocked at the firewall to prevent the file download:

  • http://marnet.us
  • http://animalloversleague.org
  • http://technalytics.net

When run, it attempts to download this file via HTTP, saving it to the Windows system directory as TEMPFILE.EXE or TMPFILE.EXE

  • %SysDir%\TEMPFILE.EXE
  • %SysDir%\TMPFILE.EXE

This file is then executed.

Obviously the exact contents of this file may change. At the time of writing it is a remote access trojan, detection for which is included in Daily Dats as BackDoor-BAC .

Symptoms

The  downloader trojan itself does not install on the victim machine. It exists only to download and execute a remote file.

At the time of writing this remote file was a remote access trojan, but obviously this could change if the file is updated.

Method of Infection

This downloader trojan exists only to download and execute a remote file.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

United States - English