Downloader-XT

Downloader-XT is a downloader Trojan consisting of a server component and a server editor component. The characteristics of this Trojan with regards to the file names, files downloaded, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The server editor component is also used for the following:

• Configure the link for the files to be downloaded
• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Configure a fake error message to be displayed when the server is executed

Server Component:

When the server component is executed, it downloads the files from the URLs pre-configured by the attacker. The downloader by itself doesn?t create any startup registry entries, and hence doesn?t execute on system startup.

Miscellaneous Information:

The author?s intended name for this downloader Trojan is ?SIS-Downloader?

Desktop firewall program alerting that a foreign program is trying to access the internet

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.