ALIASES:
Trojan-Downloader.Win32.SmallOFF (Morbite); TrojanDownloader:Win32/Small.gen!AO (Microsoft); Downloader-BNM.dr (McAfee); Suspicious.DLoader (Symantec); Trojan-Downloader.Win32.Agent.bjum (Kaspersky); Trojan-Downloader.Win32.Agent.oxo (v) (Sunbelt); Trojan.Downloader.JLSE (FSecure)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
Threat behavior
- Attempts to download and execute a file located at IP 70.147.30.110 (at the time of writing this remote file was not available). If successful the trojan stores the downloaded file locally as %windir%\system svchots.exe. (Note the filename difference from the standard windows file svchost.exe). This file is then executed.
- Drops the file %windir%\sysreq2.txt. The trojan uses this file to store the number of successful downloading attempts. The number is in ASCII format (for instance number 1 is represented by hex value 31h).
- Attempts to terminate the running process 'msconf.exe', which is normally associated with other malicious programs.
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This Trojan deletes the following files:
- %Temp%\scs1.tmp
- %Temp%\scs2.tmp
(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)
Dropping Routine
This Trojan drops the following files:
- %Windows%\foto2008.jpg
- %System%\Explorer.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://fotos.{BLOCKED}o.pt/gentlevip/pic/000200p9/s500x500
- http://olocooco2008xx.{BLOCKED}m.su/eclipse2008.jpg
- http://olocooco2008xx.{BLOCKED}m.su/autoorkut.jpg
- http://www.{BLOCKED}btown.com/rogercdr01/tela3.jpg
- http://www.{BLOCKED}g.com/blogfiles/1/137955/general/msn.exe
This report is generated via an automated analysis system.
Solution
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Search and delete these components
- %Windows%\foto2008.jpg
- %System%\Explorer.exe
To manually delete a malware/grayware file from an affected system:
• For Windows 2000, Windows XP, and Windows Server 2003:
- Right-click Start then click Search....
- In the File name* input box, type the following:
- %Windows%\foto2008.jpg
- %System%\Explorer.exe
- In the Look In drop-down list, select My Computer then press Enter.
- Once located, select the file then press SHIFT+DELETE to delete it.
*Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).
• For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:
- Open a Windows Explorer window.
- For Windows Vista, 7, and Server 2008 users, click Start>Computer.
- For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen,then click File Explorer.
- In the Search Computer/This PC input box, type:
- %Windows%\foto2008.jpg
- %System%\Explorer.exe
- Once located, select the file then press SHIFT+DELETE to delete it.
*Note: Read the following Microsoft page if these steps do not work on Windows 7.
0 Comments