McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Downloader-BQZ.a

This page shows details and results of our analysis on the malware Downloader-BQZ.a

Threat Detail

Malware Type: Trojan

Malware Sub-type: Win32

Discovery Date: 2009-10-01

Next Steps:

Overview

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim?s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

 


Minimum DAT

5759 (2009-10-02)

Updated DAT

5760 (2009-10-03)

 Minimum Engine

5.3.00

File Length

Varies

 Description Added

2009-10-01

Description Modified

2009-10-01

Malware Proliferation

Characteristics

-- Update October 1, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592

--

When executed, this malware drops copies of itself as following:

  • %System%\ivpdzazny
  • %System%\sxks.exe

Note:

%System% is a variable that refers to the Windows system folder. A typical path is C:\Windows\System32

It then modifies the following registry entries:

  • HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
  • HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe
    HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
  • HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
  • HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe

The data for the above registry entries is changed to:

  • Debugger = "%ProgramFiles%\Internet Explorer\iexplore.exe"

This ensures that everytime the user invokes an Internet browser belonging to the above list, "Internet Explorer" is launched instead.

The malware also modifies the following key to ensure its execution at system startup:

  • HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
    Debugger = "sxks.exe"

The malware then attempts to connect to the following site:

  • http://kissfromde.[Removed]

It could then post information about the infected machine. The malware could also receive instructions from this predefinded command and control server. The instructions reveived could include:

  • Steal passwords for banking related sites
  • Download latest copy of the malware

Symptoms

  • Presence of files/registry entries mentioned earlier
  • Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet

Method of Infection

Downloader Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

United States - English