Downloader-BBE

This page shows details and results of our analysis on the malware Downloader-BBE

Download Current DAT: 6617

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2007-03-23

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

It's a trojan downloader which is designed to pull files from a remote website and execute them on user's system.

Minimum DAT

4991 (2007-03-23)

Updated DAT

5270 (2008-04-09)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2007-03-23

Description Modified

2007-03-30

Malware Proliferation

Characteristics

File: Install.exe
Hash: b99dea7ecf6304eaeac4a98bc71ec846

Upon execution connects to [removed].881515.net and downloads executable files from it.

Creates files listed below under %system32% folder.

File: gewow.exe
Hash: 19e6e767dcace9965914cc7b97253417
File: logo_1.exe
Hash: 8659b18cc9a6f3edbe5cfb40a9b38807

Creates files shown below in %temp% folder.

File: 2211.dll
Hash: 541e4edf3977a13072fc0acfaf23ffc7
File: 10185.dll
Hash: bda998a48d59b5ecf4ff579c5153ad0c

Creates following run registry values in order to get executed each reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "logg"
Data: c:\windows\system32\logo_1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "wow"
Data: C:\WINDOWS\system32\gewow.exe

Symptoms

Presence of files and registry keys listed above confirms the attack.

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.