Downloader-BDH

When executed, this downloader by itself did not seem to drop any files on the victim?s machine. However, it modified the following registry entries:

• HKEY_Local_Machine\System\CurrentControlSet\Hardware Profiles\Current\
  Software\Microsoft\windows\CurrentVersion\Internet Settings
  Name: Proxy Enable
  Value: 0
• HKEY_Users\s-1-5-18\Software\Microsoft\Windows\Currentversion\Internet Settings
  Name: Proxy Enable
  Value: 0
• HKEY_Local_Machines\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
  \Paths\Path1
  Name: CacheLimit
  Value: 32694

The above modifications to the registry could lower the security settings of ?Internet Explorer?, which in turn would be used by the malware to download further malicious components.

Typical to other malware downloaders, this downloader attempted to download other malicious files from the following sites:

• yaxmtxhfen.biz
• qagwetobzb.com

However, at the time of writing this description these files were found absent from the website.

• Presence of files/registry entries mentioned earlier
• Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet

Downloader trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.