|Detected||Jun 16 2008 11:05 GMT|
|Released||Jun 16 2008 15:51 GMT|
|Published||Oct 13 2008 08:37 GMT|
This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 26552 bytes in size. It is packed using UPX. The unpacked file is approximately 43KB in size. It is written in Delphi.
The Trojan displays the following message:
It also modifies the following system registry key parameter values:
Stops services listed below:
The Trojan sends a request to download a file from one of the addresses shown below which belong to the malicious user:
The file will be saved as "index.html " to the following directory:
At the time of writing, the Trojan reads the following URLs from the downloaded file in order to download further files:
These files will be saved as follows:
The Trojan then extracts the files shown below from the files it downloaded and saved, and saves them to the current user's Windows temporary directory:
This file is 10240 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Pakes.kxv.
This file is 85960 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.bfr.
This file is 291776 bytes in size.
This file is 44032 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Delf.fdx.
This file is 419731 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Agent.agih.
This file is 45063 bytes in size. It will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.ZenoSearch.o.
The saved files are then launched for execution.
The Trojan then creates a command interpreter file called "updq.bat" in the same directory:
It writes code to delete the body of the Trojan and the "%WinDir%Web Download" directory to this file.
When it has delivered its payload, the Trojan launches "%Temp%\upd1.bat" for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.