McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Downloader-GJ.b

• Trojan.Xombe (NAV)

• TrojanDownloader.Win32.Xombe (AVP)

Characteristics

-- Update 9th January 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1429835,00.asp

This detection is for a downloader trojan that is known to have spammed to many users masquerading as a Windows XP service pack (attachment name WINXP_SP1.EXE).

The downloader retrieves another downloader, which is intended to download other remote files (as configured by a remote script). At the time of writing, it is suspected that the components all contribute towards a distributed denial of service (DDoS) attack against a remote web site hosting forums.

Spammed Message

The spammed message may be constructed as follows:

Subject : Windows XP Service Pack 1 (Express) - Critical Update.
Body :
Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1). To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1. If you cannot remove the beta version, you should still reinstall Windows XP SP1.

Windows XP SP1 provides the latest security, reliability, and performance updates to the Windows XP family of operating systems. Windows XP SP1 is designed to ensure Windows XP platform compatibility with newly released software and hardware, and includes updates to resolve issues discovered by customers or by Microsoft's internal testing team.

The maximum download size is approximately 3 MB, however the size of the download and time required may be less for computers that have had
updates previously installed. To minimize the download time needed for installation, setup will only download those files which are required to bring your computer up to date. Windows XP SP1 includes Internet Explorer 6 SP1. Anti-virus software programs may interfere with the installation of Windows XP SP1. Please disable anti-virus software while installing the service pack.

Just run the file winxp_sp1.exe in attach and make sure to restart your
PC after installation will be completed.

(c) 2004 Microsoft Corporation. All rights reserved. Terms of Use Privacy
Statement
Attachment : WINXP_SP1.EXE (4096 bytes)

Second Downloader Component

When WINXP_SP1.EXE is run on the victim machine, it downloads another remote file (BASE.EXE, 27,136 bytes). This binary is executed and installs itself as MSVCHOST.EXE in  %SysDir%. For example:

• C:\WINNT\SYSTEM32\MSVCHOST.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "mssvc" = %SysDir%\MSVCHOST.EXE

This file appears to be another downloading trojan. MSVCHOST.EXE downloads a file from the gamemaniacs.org domain. The exact file downloaded may obviously vary (according to the scripts running on the domain). At the time or writing, the following file was downloaded:

• HTTP_F.DLL (23,552 bytes)

The DLL has been observed to repeatedly request pages from a Russian web site that hosts forums. This is suggestive of a denial of service attack.

BASE.EXE (MSVCHOST.EXE) and HTTP_F.DLL are detected as Downloader-GJ.b and Xombe.dll trojans respectively with the specified engine/DATs.

Symptoms

The downloader trojan attempts to download a remote file from the following domain:

gamemaniacs.org

The downloaded file is another downloader trojan, which in turn may download other remote file(s) - the exact identity of which is governed by the scripts running on the above domain.

Method of Infection

This downloader trojan serves to download another downloader trojan from a remote server. This latter downloader may download other remote content.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Downloader-GJ.b

• Trojan.Xombe (NAV)

• TrojanDownloader.Win32.Xombe (AVP)

Characteristics

Characteristics -

-- Update 9th January 2004 --
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.eweek.com/article2/0,4149,1429835,00.asp

This detection is for a downloader trojan that is known to have spammed to many users masquerading as a Windows XP service pack (attachment name WINXP_SP1.EXE).

The downloader retrieves another downloader, which is intended to download other remote files (as configured by a remote script). At the time of writing, it is suspected that the components all contribute towards a distributed denial of service (DDoS) attack against a remote web site hosting forums.

Spammed Message

The spammed message may be constructed as follows:

Subject : Windows XP Service Pack 1 (Express) - Critical Update.
Body :
Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1). To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1. If you cannot remove the beta version, you should still reinstall Windows XP SP1.

Windows XP SP1 provides the latest security, reliability, and performance updates to the Windows XP family of operating systems. Windows XP SP1 is designed to ensure Windows XP platform compatibility with newly released software and hardware, and includes updates to resolve issues discovered by customers or by Microsoft's internal testing team.

The maximum download size is approximately 3 MB, however the size of the download and time required may be less for computers that have had
updates previously installed. To minimize the download time needed for installation, setup will only download those files which are required to bring your computer up to date. Windows XP SP1 includes Internet Explorer 6 SP1. Anti-virus software programs may interfere with the installation of Windows XP SP1. Please disable anti-virus software while installing the service pack.

Just run the file winxp_sp1.exe in attach and make sure to restart your
PC after installation will be completed.

(c) 2004 Microsoft Corporation. All rights reserved. Terms of Use Privacy
Statement
Attachment : WINXP_SP1.EXE (4096 bytes)

Second Downloader Component

When WINXP_SP1.EXE is run on the victim machine, it downloads another remote file (BASE.EXE, 27,136 bytes). This binary is executed and installs itself as MSVCHOST.EXE in  %SysDir%. For example:

• C:\WINNT\SYSTEM32\MSVCHOST.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "mssvc" = %SysDir%\MSVCHOST.EXE

This file appears to be another downloading trojan. MSVCHOST.EXE downloads a file from the gamemaniacs.org domain. The exact file downloaded may obviously vary (according to the scripts running on the domain). At the time or writing, the following file was downloaded:

• HTTP_F.DLL (23,552 bytes)

The DLL has been observed to repeatedly request pages from a Russian web site that hosts forums. This is suggestive of a denial of service attack.

BASE.EXE (MSVCHOST.EXE) and HTTP_F.DLL are detected as Downloader-GJ.b and Xombe.dll trojans respectively with the specified engine/DATs.

Symptoms

Symptoms -

The downloader trojan attempts to download a remote file from the following domain:

gamemaniacs.org

The downloaded file is another downloader trojan, which in turn may download other remote file(s) - the exact identity of which is governed by the scripts running on the above domain.

Method of Infection

Method of Infection -

This downloader trojan serves to download another downloader trojan from a remote server. This latter downloader may download other remote content.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A