This page shows details and results of our analysis on the malware Downloader-MY


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum Engine


File Length

6,656 bytes (UPX packed)

Description Added


Description Modified


Malware Proliferation


This detection is for a downloading trojan that serves only to download and execute a remote file.

Once executed, it installs itself on the victim machine using deceptive file and folder names:

  • c:\WINNT\system32\drivers\cd_load.exe
  • c:\WINNT\system32\inetsrv\MSCStat.exe

The following Registry hooks are added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "CashToolbar" = C:\WINNT\system32\inetsrv\MSCStat.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "ClickTheButton" = C:\WINNT\system32\drivers\cd_load.exe

After a delay, the following fake error message is displayed:

Upon clicking OK, the trojan attempts to download remote files.


See above. This downloader trojan serves to download and execute remote files.

Method of Infection

This downloader trojan serves to download and execute remote files.


All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations