Overview
This description is for a downloader trojan, which when executed, could further download more malicious components from the web and install them on the victim?s machine.
The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.
|
Minimum DAT
5118 (2007-09-12) Updated DAT5118 (2007-09-12) |
Minimum Engine
5.1.00 File LengthN/A |
Description Added
2007-09-12 Description Modified2007-09-23 |
Malware Proliferation
Characteristics
When executed, this downloader creates the following folder:
- C:\Program Files\Web Publish
It then drops a copy of itself into this folder as ?Idrivers.pif?.
To enable execution of itself at system startup, the downloader creates the following registry entry:
- Hkey_Local_Machine\Software\Microsoft\Active Setup\Installed Components\
{2bf41073-b2b1-21c1-b5c1-0701f4155588}
StubPath = "C:\Program Files\Web Publish\IDrivers.pif"
Once executed, the downloader attempts to connect to the following website, to download more malicious content:
- http://cool.47555.com/
Symptoms
- Presence of files and registry entries mentioned earlier
- Software based firewall, if any installed on the machine might alert about an unknown program attempting
to connect to the internet.
Method of Infection
Downloader trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants