MultiDropper-QT

Upon execution the sample drops eltfuntarg.exe (file size 61440 bytes) and s_install_id8.exe (file size 7680 bytes). These two files are already detected by McAfee as Downloader-VF and W32/Gael.worm.a respectively. These samples starts executing themselves. Presence of s_install_id8.exe file infects .exe files on the user's system, appending itself to host files. eltfuntarg.exe file is responsible for the further download of trojan and potentially unwanted program samples on the user's system.

System Changes

Files Added

The following files are dropped :

• s_install_id8.exe  -    W32/Gael.worm.a
• eltfuntarg.exe      -    Downloader-VF

Registry Changes

The following registry key is created:

• HKEY_LOCAL_MACHINE\Software\em

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it.

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.