McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Downloader-Icug

This page shows details and results of our analysis on the malware Downloader-Icug

Threat Detail

Malware Type: Trojan

Malware Sub-type: Downloader

Discovery Date: 2007-06-19

Next Steps:

Overview

This description is for a downloader trojan, which gets downloaded through JS/Downloader-AUD and in turn downloads BackDoor-Icug.

The characteristics of this downloader with regards to files downloaded etc will differ depending on the way in which the attacker had configured it. Hence, this is a general description.


Minimum DAT

5056 (2007-06-19)

Updated DAT

5058 (2007-06-21)

 Minimum Engine

5.1.00

File Length

6,772 Bytes

 Description Added

2007-06-19

Description Modified

2007-06-19

Malware Proliferation

Characteristics

At the time of writing this description, this downloader trojan was being downloaded through JS/Downloader-AUD.

When JS/Downloader-AUD is successfully executed on the victim's machine, it connects to "http://64.38.{blocked}/~ftpcom" and downloads a file named "file.php".

This file is actually an executable file which uses the ".php" extension to elude the user.

When this downloaded file is run, it injects itself into svchost.exe and in turn connects to "http://64.38.{blocked}/~ftpcom"
and "http://194.146.{blocked}/ld/guc" and downloads more files to the following folders:

  • %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
  • %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
  • %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\[Random Folder]\ld_guc[1].exe
  • %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\[Random Folder]\n1[1].exe

The downloaded files are detected as BackDoor-Icug.

Note:

  • In an attempt to make the downloaded files harder to find, the files have their attributes changed to hidden and system
  • Software based firewall on the infected machine might not alert about the downloader trying to connect to the internet.
    This is because, the downloader injects itself into svchost.exe to connect to the internet
  • %ProgramFiles% and %UserProfile% are variable locations which refer to the program files folder and the user profile
    folder respectively

Symptoms

The presence of the files mentioned is a good symptom of being infected by this downloader.

Method of Infection

This downloader trojan is downloaded by JS/Downloader-AUD. It does not self-replicate.

It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

United States - English