Overview
This is a multidropper which is intended to drop and execute trojan downloader and worm on the target machine.
|
Minimum DAT
4682 (2006-01-25) Updated DAT5951 (2010-04-14) |
Minimum Engine
5.1.00 File Length275,371 bytes |
Description Added
2006-01-25 Description Modified2006-06-30 |
Malware Proliferation
Characteristics
System Changes
Upon execution, it drops following files on the system:
- bfast3.exe (250,761 bytes) (Detected as Backdoor-COC)
- fast.exe (144,671 bytes) (Detected as Backdoor-COC)
- fast3.exe (154,371 bytes) (Detected as Backdoor-COC)
- k3.exe (24,576 bytes) (Detected as Backdoor-COC)
- b3.exe (84,749 bytes)
Also on execution, pornographic image is displayed on the system.
Following registry entry is added to run the dropped trojan on system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"BD"= ?c:\documents and settings\ <user>\local settings\Temp\RarSFX1\fast.exe"
Symptoms
Method of Infection
This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it.
Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants