McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

MultiDropper-QK

This page shows details and results of our analysis on the malware MultiDropper-QK

Threat Detail

Malware Type: Trojan

Malware Sub-type: Dropper

Discovery Date: 2006-03-24

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4726 (2006-03-24)

Updated DAT

4726 (2006-03-24)

 Minimum Engine

5.1.00

File Length

N/A

 Description Added

2006-03-24

Description Modified

2006-03-27

Malware Proliferation

Characteristics

Multidropper is a general term for programs designed specifically to install and run other trojans. The trojan user generally runs a program called a joiner or binder to combine a trojan and an innocent program (such as a game) together into one program. Multidroppers generally do not have any payload or infectious capabilities on their own; they only install other trojans. Multidroppers are added to the DATs as they are discovered.

The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself typically does not install on the victim machine.  Typically files created or extracted from the original file are placed in standard locations such as the Windows or System folders and the registry is modified to load the dropped binaries at Windows startup.

Detection was added to cover against a malicious file originally called "patch.exe", having file size of 213,519 bytes.

Upon execution, it drops following files:

  • EJN2.tmp    (200,704 bytes) (Detected as Generic PWS.g)
  • winServices.pif    (200,704 bytes) (Detected as Generic PWS.g)

?patch.exe? runs in the background and does not allow task manager to open, unless the process is killed by some means. ?EJN2.tmp? is not a temp file but an executable and may have different names.

Following registry entry is added to run the trojan on system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ?Windows Loader?= ?%WINDIR%\winServices.pif?

Symptoms

Presence of files and the registry entry listed above.

Method of Infection

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it.

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

United States - English