McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update January 23, 2004 --
There have been several large spammings of hyperlinks pointing to websites that are hosting this trojan.  In some cases these hyperlinks are exploiting an Internet Explorer vulnerability (see Exploit-URLSpoof ), in other cases the hyperlinks do not contain the exploit code.  Additionally, the VBS/Inor  trojan itself was mass-spammed.  In these recent cases, the purpose of Inor is to install the Proxy-Cidra trojan.

This detection is for Visual Basic scripts intended to drop and execute other (potentially malicious) files on the victim machine.

Multiple versions of this script are known. At least one was used to drop a downloader trojan in the installation of an adware application (see Adware-Surfbar description). The script was referenced in spammed HTML formatted emails.

The script bears similarities to Downloader-BO.dr .

Symptoms

The script serves only to drop a file on the victim machine.

Method of Infection

When the script runs, a potentially malicious file is written to the local drive. The script serves only to drop and execute this file.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update January 23, 2004 --
There have been several large spammings of hyperlinks pointing to websites that are hosting this trojan.  In some cases these hyperlinks are exploiting an Internet Explorer vulnerability (see Exploit-URLSpoof ), in other cases the hyperlinks do not contain the exploit code.  Additionally, the VBS/Inor  trojan itself was mass-spammed.  In these recent cases, the purpose of Inor is to install the Proxy-Cidra trojan.

This detection is for Visual Basic scripts intended to drop and execute other (potentially malicious) files on the victim machine.

Multiple versions of this script are known. At least one was used to drop a downloader trojan in the installation of an adware application (see Adware-Surfbar description). The script was referenced in spammed HTML formatted emails.

The script bears similarities to Downloader-BO.dr .

Symptoms

Symptoms -

The script serves only to drop a file on the victim machine.

Method of Infection

Method of Infection -

When the script runs, a potentially malicious file is written to the local drive. The script serves only to drop and execute this file.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A