McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan.DownLoader (Dialogue Science)

Characteristics

This detection is for a file that serves as a downloading/updating component.

Upon execution on the target machine, the file installs itself into the application data folder, using a random 4-letter filename. For example:

• C:\WINDOWS\APPLICATION DATA\ESCN.EXE
• C:\DOCUMENTS AND SETTINGS\USERNAME\APPLICATION DATA\CSRR.EXE

This file is 67,592 bytes in length.

A Registry key is added to execute this file at subsequent system startup - the string name used for this key will vary. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Otss" = C:\WINDOWS\ESCN.EXE

Once running, an attempt to made to connect to a remote server (sought by a DNS request). A HTTP GET request.is then sent to the server, passing information such as:

• install, update or warning
• version details
• message

So when first run on a machine, the request indicates that an install is desired. Upon failure to connect to the remote server, the request serves as a warning for the remote server to be checked for content.

Investigation into the downloaded (and presumably installed) application is still ongoing - description will be updated once complete.

Symptoms

• Unexpected Internet activity, as the machine attempts to connect to:
  www.clickspring.net
• Presence of the files/Registry key detailed above

Method of Infection

The is a downloading/updating component that serves to retrieve data from a remote server. Analysis is currently ongoing to assess exactly what is installed.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan.DownLoader (Dialogue Science)

Characteristics

Characteristics -

This detection is for a file that serves as a downloading/updating component.

Upon execution on the target machine, the file installs itself into the application data folder, using a random 4-letter filename. For example:

• C:\WINDOWS\APPLICATION DATA\ESCN.EXE
• C:\DOCUMENTS AND SETTINGS\USERNAME\APPLICATION DATA\CSRR.EXE

This file is 67,592 bytes in length.

A Registry key is added to execute this file at subsequent system startup - the string name used for this key will vary. For example:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Otss" = C:\WINDOWS\ESCN.EXE

Once running, an attempt to made to connect to a remote server (sought by a DNS request). A HTTP GET request.is then sent to the server, passing information such as:

• install, update or warning
• version details
• message

So when first run on a machine, the request indicates that an install is desired. Upon failure to connect to the remote server, the request serves as a warning for the remote server to be checked for content.

Investigation into the downloaded (and presumably installed) application is still ongoing - description will be updated once complete.

Symptoms

Symptoms -

• Unexpected Internet activity, as the machine attempts to connect to:
  www.clickspring.net
• Presence of the files/Registry key detailed above

Method of Infection

Method of Infection -

The is a downloading/updating component that serves to retrieve data from a remote server. Analysis is currently ongoing to assess exactly what is installed.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A