McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Nebiwo

• W32.HLLW.Nebiwo (Symantec)

Characteristics

-- Update March 7, 2003 --

AVERT has received a new variant of this MultiDropper that tries to access other systems through Microsoft Networking, using the IPC$ share. AVERT has been not seen this work in our testing at this time. This new variant does not create the registry entry referenced below.

This detection is for malware designed to silently install or 'drop' one or more trojans attached to the end of the file.

When run, the MultiDropper copies the attached trojans to the Temp directory, where they are then executed.

Ordinarily MultiDropper files serve only to drop and then execute the dropped files on the target machine. The dropper does not install itself on the victim machine. In this case however, it does hook the registry to drop the files again upon Windows startup using the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"NAV Live Update" = %Trojan File%

The MultiDropper file's length will vary depending on the size of the trojans it contains, and is likely to be packed.

Symptoms

Method of Infection

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Nebiwo

• W32.HLLW.Nebiwo (Symantec)

Characteristics

Characteristics -

-- Update March 7, 2003 --

AVERT has received a new variant of this MultiDropper that tries to access other systems through Microsoft Networking, using the IPC$ share. AVERT has been not seen this work in our testing at this time. This new variant does not create the registry entry referenced below.

This detection is for malware designed to silently install or 'drop' one or more trojans attached to the end of the file.

When run, the MultiDropper copies the attached trojans to the Temp directory, where they are then executed.

Ordinarily MultiDropper files serve only to drop and then execute the dropped files on the target machine. The dropper does not install itself on the victim machine. In this case however, it does hook the registry to drop the files again upon Windows startup using the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"NAV Live Update" = %Trojan File%

The MultiDropper file's length will vary depending on the size of the trojans it contains, and is likely to be packed.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A