McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Divxupd

• Divxupd.dldr

• Naldem.eml

Characteristics

This detection if for a trojan which is likely to be downloaded via a malicious spam email.

The spammed email masquerades as an alert to an e-card awaiting the victim. However, the link within the HTML formatted message is misleading, and directs the victim to an unexpected site. Details of the sender and email address of the spammed message can be read here .

From here, other remote scripts are executed wihch are intended to download and execute the trojan. These scripts are detected as VBS/Inor and VBS/Psyme .

When run on the victim machine, the trojan installs itself into %WinDir%:

C:\WINDOWS\DIVX.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "DivX Updater" = C:\WINDOWS\DIVX.EXE

The trojan sends data to a remote server (HTTP) including information such as the following:

• Operating system
• ID number
• Time

This information is sent to 69.56.204.206 (via HTTP, processed by a remote CGI script). A high port (>1024) is also opened on the victim machine.

The following Registry key is also created:

HKEY_LOCAL_MACHINE\Software\DivX

Symptoms

• Existence of the above file/Registry key
• Outgoing traffic to 69.56.204.206
• A high port (>1024) is opened on the victim machine

Method of Infection

A spammed email is likely to introduce this trojan to the victim, Upon following a misleading link in the email, the user is redirected to a remote site, which in turns loads remote scripts. When these run, the trojan is written to the local drive.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Divxupd

• Divxupd.dldr

• Naldem.eml

Characteristics

Characteristics -

This detection if for a trojan which is likely to be downloaded via a malicious spam email.

The spammed email masquerades as an alert to an e-card awaiting the victim. However, the link within the HTML formatted message is misleading, and directs the victim to an unexpected site. Details of the sender and email address of the spammed message can be read here .

From here, other remote scripts are executed wihch are intended to download and execute the trojan. These scripts are detected as VBS/Inor and VBS/Psyme .

When run on the victim machine, the trojan installs itself into %WinDir%:

C:\WINDOWS\DIVX.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "DivX Updater" = C:\WINDOWS\DIVX.EXE

The trojan sends data to a remote server (HTTP) including information such as the following:

• Operating system
• ID number
• Time

This information is sent to 69.56.204.206 (via HTTP, processed by a remote CGI script). A high port (>1024) is also opened on the victim machine.

The following Registry key is also created:

HKEY_LOCAL_MACHINE\Software\DivX

Symptoms

Symptoms -

• Existence of the above file/Registry key
• Outgoing traffic to 69.56.204.206
• A high port (>1024) is opened on the victim machine

Method of Infection

Method of Infection -

A spammed email is likely to introduce this trojan to the victim, Upon following a misleading link in the email, the user is redirected to a remote site, which in turns loads remote scripts. When these run, the trojan is written to the local drive.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A