Internet threat level: 1
Home→Descriptions→Trojan-Downloader.Win32.Geral.aakv
Trojan-Downloader.Win32.Geral.aakv
| Detected | Feb 22 2011 01:39 GMT |
| Released | Feb 22 2011 08:34 GMT |
| Published | Sep 09 2011 15:22 GMT |
Payload
Removal instructions
Technical Details
A trojan program that downloads other software to the computer without the user's knowledge and launches this software for execution. It is a Windows application (PE-EXE file). 52224 bytes. Written in C++.
Payload
After launching, in order to control the uniqueness of its process within the system, the trojan creates a unique identifier called "SeBebugPrivilege". The trojan then copies the system library named:
%System%\wininet.dlland saves this in the temporary file directory under a random name:
%Temp%\<tmp>.tmpwhere tmp is the name of the temporary file. The trojan then imports the functions which the trojan needs to download other malware from the saved copy of the library. The trojan then tries to download the file located at the following link:
http://e05.cxe95.com:8080/re05/sc.png. and saves this in the temporary file directory under the following name:
%Temp%\<tmp>.tmpThe file is then launched for execution. The file is then copied to the system directory under the following name:
%System%\system.exeSo that it may be automatically launched each time the OS is started, the trojan creates a link to the malicious file in the system registry startup key in a separate string:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "System"="%System%\system.exe"The trojan also determines the physical address of the computer (MAC-address) and transfers this to the attacker's server in a HTTP request from the following link: http://e05.cxe95.com:8080/?a=<rnd>&b=<rnd>&c=<rnd>&d=XX-XX-XX-XX-XX-XX where
XX-XX-XX-XX-XX-XX – MAC-address;rnd is a random sequence of digits.
These links did not work when creating the description.
Removal instructions
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Using
, end the trojan process. - Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
- Delete the parameters in the key of the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "System"="%System%\system.exe"
- Delete the following file:
%System%\system.exe
- Clear the current user's temporary file directory:
%Temp%\
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
[MD5: 1d39cc9adc940f75ae99f3748c6ac819]
[SHA1: b3eb5c53da03302f9b44588a26c4b63ec49b6f83]
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.
Trojan-Downloader.
- Trojan:
Generic Downloader. x!enc (McAfee) - Mal/Geral-A (Sophos)
- TrojanDownloader:
Win32/Begseabug. A (MS(OneCare)) - Trojan.
MulDrop. 59624 (DrWeb) - Win32/TrojanDownloader.
Agent. QOJ trojan (Nod32) - Gen:
Trojan. Heur. JP. dqW@aOs2jlc (BitDef7) - Trojan.
DL. Geral!2JiMC8dd0tk (VirusBuster) - Win32:
Downloader-FVM [Trj] (AVAST) - Trojan-Downloader.
Win32. Geral (Ikarus) - Generic21.
VI (AVG) - Downloader (NAV)
- NseCheckFile2() returned 0x00010018 (Norman)
- Trojan.
DL. Geral!2JiMC8dd0tk (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.