McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

Upon successful execution, this trojan launches an instance of Internet Explorer and injects a DLL file into its memory space. This helps the trojan to be hidden in the process list.

Note* :  Generic Buffer Overflow protection of VSE prevents the execution of trojan thus preventing the downloads.

It may create following resgitry keys.

• HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run\down: "MSXMIDI.EXE"

Files Created:

• Copies itself as %sysdir%\msxmidi.exe. (8,704 bytes)

If the download is prevented due to VSE's generic BO protection, another DLL file is dropped (in the same folder as the original file)

• winhlp32.dll (9,216 bytes)

If  IE is launched due to this trojan,  it contacts the following IP in order to download various other trojans.

• 69.50.161.11 

The downloaded files are

• netupd32.exe - Detected as downloader-AFP trojan
• nbtrstat.exe - Detected as Adclicker BM Trojan
• wowdbe.exe - Detected as StartPAge-DU trojan
• upncont.exe - Detected as Adware Clearsurfing
• tsmsetup.exe - Detected as Adware MsnList
• sethcd.exe - Detected as Adclicker-BW Trojan.
• smbdins.exe - Detected as Adware-MsnList
• ipvcx6.exe  - Detected as Downloader-XD.dr Trojan
  

Symptoms

Presence of aforementioned files and registry keys

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

VirusScan Enterprise 8.0i
The VSE8.0i contains generic buffer overflow protection that is effective in preventing this threat from spreading.  Protection is enabled by default:

With this configuration, a message dialog box will appear upon detection:

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

Upon successful execution, this trojan launches an instance of Internet Explorer and injects a DLL file into its memory space. This helps the trojan to be hidden in the process list.

Note* :  Generic Buffer Overflow protection of VSE prevents the execution of trojan thus preventing the downloads.

It may create following resgitry keys.

• HKEY_CURRENT_USER\Control Panel\International\Geo\Nation : Value="244"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run\down: "MSXMIDI.EXE"

Files Created:

• Copies itself as %sysdir%\msxmidi.exe. (8,704 bytes)

If the download is prevented due to VSE's generic BO protection, another DLL file is dropped (in the same folder as the original file)

• winhlp32.dll (9,216 bytes)

If  IE is launched due to this trojan,  it contacts the following IP in order to download various other trojans.

• 69.50.161.11 

The downloaded files are

• netupd32.exe - Detected as downloader-AFP trojan
• nbtrstat.exe - Detected as Adclicker BM Trojan
• wowdbe.exe - Detected as StartPAge-DU trojan
• upncont.exe - Detected as Adware Clearsurfing
• tsmsetup.exe - Detected as Adware MsnList
• sethcd.exe - Detected as Adclicker-BW Trojan.
• smbdins.exe - Detected as Adware-MsnList
• ipvcx6.exe  - Detected as Downloader-XD.dr Trojan
  

Symptoms

Symptoms -

Presence of aforementioned files and registry keys

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal -

Removal -

VirusScan Enterprise 8.0i
The VSE8.0i contains generic buffer overflow protection that is effective in preventing this threat from spreading.  Protection is enabled by default:

With this configuration, a message dialog box will appear upon detection:

Variants

Variants -

N/A