Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4233 (2002-11-13) Updated DAT4264 (2003-05-14) |
Minimum Engine
5.1.00 File Length4,096 bytes |
Description Added
2002-11-11 Description Modified2003-05-07 |
Malware Proliferation
Characteristics
A new variant of this threat discovered recently. This variant is dropped by a file named Error.hta (see Downloader.BO.dr). Current DAT files detect this threat as a variant of Downloader.BO. This variant attempts to download an IRC/Flood package from www.t-blocked-shop.net.
----- End Update -----
This trojan connects to a hypermart.net user website to download a file named counter.c. The content of this file is saved locally as OUTPUT.EXE and run. At the time of this writing the downloaded file was a backdoor trojan, BackDoor-AML.
The downloader creates 2 registry keys:
- HKEY_CLASSES_ROOT\.inr\5Nzg1mOWKzFnuvu6 "Time"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run ".inr\5Nzg1mOWKzFnuvu6"=%Trojan Path%
Symptoms
Method of Infection
This trojan has been blocked in the wild; attached to a significant number of email messages.
Removal
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
-
Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Variants