Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4198 (2002-04-24) Updated DAT5409 (2008-10-20) |
Minimum Engine
5.1.00 File LengthVaries |
Description Added
2002-04-19 Description Modified2002-05-06 |
Malware Proliferation
Characteristics
%WinDir%\Downloaded Program Files folder as IO Class . Checking the properties of this file will show a CodeBase reference to ONLINE1NET.COM.
There are several components to this trojan:
- MNSVC.EXE (20,480 bytes) - This is the part that downloads AUSVC.EXE from http://www.wwws1.com/. It contains the text: "MinStaller Mutex"
- AUSVC.EXE (57,344 bytes) - This downloads the rest of the trojan. It contains the text: "Autoupdater Mutex"
- BVT.EXE (114,760 bytes) - This is an Internet Explorer Browser Plugin. It contains the text "BrowserEvt"
- ABSR.EXE (118,858 bytes) - This is another IE Plugin. It contains the text "AutoBrowser"
- AUUPG.EXE (69,632 bytes) - This appears similiar to AUSVC.EXE, but it doesn't have the same text.
- COOLSTUFF.OCX (65,653 bytes) - This ActiveX Control makes referrence to several commerical firewall programs, as well as the other trojan components. It works inconjunction with setup information type files, which reside on a webserver, to download and install trojan components.
- EA.BIN (366,438 bytes) - File contains numbers. It's currently unclear what the purpose of this file is.
- MBTCD.BAK (8,884 bytes) - File contains encrypted data. It's currently unclear what the purpose of this file is.
- Msvcp60.dll (401,462 bytes) - This is not a trojan file, but rather a Microsoft C++ Runtime Library used by other trojan components. This .DLL is typically found in the SYSTEM directory on non-infected systems. A second copy may be found in the WINDOWS directory on infected systems.
- UNDO.BAT (49 bytes) - This file simply calls %TEMP%\undo.exe and then deletes the UNDO.EXE file.
- UNDO.EXE (57,405 bytes) - An uninstaller to remove the trojan.
Symptoms
- Presence of registry run keys which point to these files:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Method of Infection
This trojan gets installed when visiting a hosting website. Currently http://www.koolkatalog.com and http://www.online1net.com, contains malicous javascript code which installs MNSVC.EXE, as well as the COOLSTUFF.OCX ActiveXControl.
Trojan components are downloaded to the temp directory as FF0*.tmp is compressed form. The files are then extracted to the WINDOWS directory.
Removal
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
- Go to the directory: %WinDir%\Downloaded Program Files
- Right-click on IO Class and choose REMOVE
- Delete any registry keys that reference the files mentioned in the characteristics section of this description
- Restart the computer
- Delete the files mentioned in the characteristics section of this description
Variants