minimal-minimal

Downloader-EV

Downloader-EV

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Downloader
  • Protection Added: 2003-10-30

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5400.1158

File Length

67,592 bytes (parent file)

Description Added

2003-10-30

Description Modified

2003-10-30

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

This detection is for a file that serves as a downloading/updating component.

Upon execution on the target machine, the file installs itself into the application data folder, using a random 4-letter filename. For example:

  • C:\WINDOWS\APPLICATION DATA\ESCN.EXE
  • C:\DOCUMENTS AND SETTINGS\USERNAME\APPLICATION DATA\CSRR.EXE

This file is 67,592 bytes in length.

A Registry key is added to execute this file at subsequent system startup - the string name used for this key will vary. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Otss" = C:\WINDOWS\ESCN.EXE

Once running, an attempt to made to connect to a remote server (sought by a DNS request). A HTTP GET request.is then sent to the server, passing information such as:

  • install, update or warning
  • version details
  • message

So when first run on a machine, the request indicates that an install is desired. Upon failure to connect to the remote server, the request serves as a warning for the remote server to be checked for content.

Investigation into the downloaded (and presumably installed) application is still ongoing - description will be updated once complete.

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

The is a downloading/updating component that serves to retrieve data from a remote server. Analysis is currently ongoing to assess exactly what is installed.
  • Unexpected Internet activity, as the machine attempts to connect to:
    www.clickspring.net
  • Presence of the files/Registry key detailed above