Content
Downloader-CY
- Type
- Trojan
- SubType
- Downloader
- Discovery Date
- 07/25/2003
- Length
- 2,570 bytes
- Minimum DAT
- 4281 (07/30/2003)
- Updated DAT
- 4892 (11/09/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 07/25/2003
- Description Modified
- 08/06/2003 12:15 PM (PT)
Tab Navigation
Characteristics
This downloader trojan is created by a dropper HTML file, which was recently spammed to many email addresses. That message appears as follows:
From: Admin ADMIN@SECURITY.ORG
Subject: Re:
Body:
Hello , %email address%
New windows bug was detected , details in readme.htm file (attached) !
This is not spam ! , you get this letter because you are member of www.security.org
Attachment: readme.zip
The .zip file contains an HTML file, readme.html. This file is detected as a variant of Exploit-Codebase with the current dat files. The HTML file creates and executes Downloader-DK, with the filename aaa.exe, on vulnerable systems. This executable connects to a remote web server to download a file named ksp.exe, save it locally as mshex.exe, and execute it. The current file that is download is detected as "New Malware.b" with the current dat files when scanning compressed files with heuristics enabled. The 4281 DAT files detect this downloaded file as BackDoor-AXU.
Symptoms
- Presence of the files aaa.exe and mshex.exe
- Display of the following web page:
Method of Infection
This trojan was recently spammed to a number of email addresses. The attachment type is a zip file, requiring users to manually extract and access the contained file.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Downloader-DK
Characteristics
Characteristics -
This downloader trojan is created by a dropper HTML file, which was recently spammed to many email addresses. That message appears as follows:
From: Admin ADMIN@SECURITY.ORG
Subject: Re:
Body:
Hello , %email address%
New windows bug was detected , details in readme.htm file (attached) !
This is not spam ! , you get this letter because you are member of www.security.org
Attachment: readme.zip
The .zip file contains an HTML file, readme.html. This file is detected as a variant of Exploit-Codebase with the current dat files. The HTML file creates and executes Downloader-DK, with the filename aaa.exe, on vulnerable systems. This executable connects to a remote web server to download a file named ksp.exe, save it locally as mshex.exe, and execute it. The current file that is download is detected as "New Malware.b" with the current dat files when scanning compressed files with heuristics enabled. The 4281 DAT files detect this downloaded file as BackDoor-AXU.
Symptoms
Symptoms -
- Presence of the files aaa.exe and mshex.exe
- Display of the following web page:
Method of Infection
Method of Infection -
This trojan was recently spammed to a number of email addresses. The attachment type is a zip file, requiring users to manually extract and access the contained file.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
