Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Win32
  • Protection Added: 2004-10-06

This description is for a Trojan which is capable of uploading information on the infected machine to a predetermined site and also downloads other malware components.

The characteristics of this Trojan in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.


Minimum Engine

5400.1158

File Length

360 KB

Description Added

2004-10-06

Description Modified

2004-10-06

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

When executed, this Trojan drops copies of itself in the following locations:

  • %System%\ipxpromne.exe
  • %System%\schtaskse.dll

Note:

  • %System% is a variable location and refers to the windows system directory.

The Trojan then modifies the following registry entry to ensure its execution at system startup:

  • Hkey_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load = "%System%\rundll32.exe,%System%\ipxpromne.exe"

The Trojan tries to upload information such as the name of the infected machine, IP addresses, MAC addresses etc. using a POST command to the below site:

  • http://bs411.bluewinnt.com/[Removed]

However, at the time of writing this description the specific link on the site seemed down.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Presence of files and registry entries mentioned earlier