|Detected||Jan 26 2004 11:33 GMT|
|Released||Jan 26 2004 11:33 GMT|
|Published||Nov 08 2006 12:54 GMT|
The Trojan consists of two files. The first of these is a so-called executable file called stub.exe, which is 20 480 bytes in size. The second file is the constructor for the first file, and is 24 576 bytes in size. The constructor is used to assign parameters to the executable file, such as the path to the file to be downloaded from the Internet, and the name under which the downloaded file will be saved on the victim machine.
When launched, the Trojan displays the following window:
When the user clicks on "Create", the Trojan will copy stub.exe, which is located in the Trojan's working directory, under the name which has been entered in the "Downloader" field. The Trojan opens the copied file and writes data given in the data entry fields to the end of this file in the following format:
When the generated file is launched, it will search its body for a "CONFIG" string. The link from which a file is to be downloaded is located directly following this string. The Trojan will download a file from this link to the Windows system directory and save it under the name given after the "CONFIG" string and the link. It will then launch the downloaded file for execution.
If the user clicks on "Help" the Trojan displays the following message:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.