Intel Security
open

Downloader-CEW

This page shows details and results of our analysis on the malware Downloader-CEW

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Downloader
  • Protection Added: 2010-02-09

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Microsoft: TrojanDownloader:Win32/Renos.KX
  • VBA32: Win32.TrojanDownloader.FakeAlert.ATQ
  • Symantec: Trojan.FakeAV!gen18
  • Kaspersky: Packed.Win32.Krap.an
  • Avira: TR/Agent.ANAC


Minimum Engine

5600.1067

File Length

Varies

Description Added

2010-02-09

Description Modified

2010-03-31

Malware Proliferation

-------------Update on 30-March-10----------------

File Information -

  • MD5 - DD350CA7E65F3099C0BB1F370E2510EE
  • SHA - 1B8AEE252F3A041E688F1F8239E53DAC1D60A659

When executed, the Trojan connects to the following websites to download malicious files from the remote server.

  • http://zeno[removed].com/resolution.php?data
  • http://alt[removed].com/resolution.php?data
  • http://satr[removed].com/resolution.php?data
  • http://ohu[removed].com/borders.php?data
  • http://ohs[removed].com/borders.php?data
  • http://big[removed].com/borders.php?data

The following registry value has been added to the system

[HKEY_CURRENT_USER\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\]

YVIBBBHA8C = "%UserProfile%\Desktop\dd350ca7e65f3099c0bb1f370e2510ee.exe"

The above mentioned registry entry confirms that, the Trojan executes every time when windows starts.

The Trojan adds the following job file

  • %WinDir%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

The Trojan creates the above job file which is scheduled to execute the downloaded files everyday at the same time when the Trojan was executed initially.

[Where %UserProfile% - C:\Documents and Settings\[UserName], %WinDir% - C:\WINDOWS]

---------------

Downloader-CEW is designed to download malicious files from websites controlled by the malware author.

When executed, the Trojan connects to the following websites to download malicious files from the remote server.

  • http://work[removed]tsstudio.com/mscool.php?data
  • http://work[removed]gallery.com/mscool.php?data
  • http://cofee-[removed].com/mscool.php?data

The following registry keys have been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters

The Trojan adds the following file

  • %Temp%\Nzz..bat

The Trojan deletes itself by executing the above mentioned batch file, once it finishes the download operation.

[Where %Temp% is the Temp Directory]

  • Presence of above mentioned registry
  • Presence unexpected network connection to the above mentioned sites.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.