McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BruteCode

• Win32.Lovmus (CA Vet)

• Win32/BruteCode (CAI)

Characteristics

This trojan is written in MSVB, and is intended to alter various settings on the victim machine. It may be received with a .JPG.EXE file extension, intended to fool the user into thinking it is an image, not an executable file.

When run, the trojan copies itself as BCFOLDER.EXE to the system directory of the victim machine, for example:

• C:\WINNT\SYSTEM32\BCFOLDER.EXE

The following Registry key is modified to hook the trojan:

• HKEY_CLASSES_ROOT\Folder\shell\open\command "(Default)"

It is changed from:

• %SystemRoot%\Explorer.exe /idlist,%I,%L

to:

• C:\WINNT\System32\BCfolder.exe explorer.exe /idlist,%I,%L

Additionally, the following Registry is modified, renaming the Recycle Bin on the victim machine:

•  HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
  "(Default)"

It is changed from:

• Recycle Bin

to:

• brutecode@yahoo.com
  

Similarly, the following key is also modified:

• HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
  "LocalizedString"

from:

• @C:\WINNT\system32\shell32.dll,-8964@1033,Recycle Bin

to:

• brutecode@yahoo.com

The following key data is removed:

• HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec
  "(Default)" = [ViewFolder("%l", %I, %S)]

Initial analysis suggests the trojan is also intended to alter the default start page of Internet Explorer, although this was not observed in testing.

The trojan contains the string:

Dedicated to : GOD'S_OWN_COUNTRY

Symptoms

• Recycle bin renamed to brutecode@yahoo.com
• Registry settings altered as detailed above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BruteCode

• Win32.Lovmus (CA Vet)

• Win32/BruteCode (CAI)

Characteristics

Characteristics -

This trojan is written in MSVB, and is intended to alter various settings on the victim machine. It may be received with a .JPG.EXE file extension, intended to fool the user into thinking it is an image, not an executable file.

When run, the trojan copies itself as BCFOLDER.EXE to the system directory of the victim machine, for example:

• C:\WINNT\SYSTEM32\BCFOLDER.EXE

The following Registry key is modified to hook the trojan:

• HKEY_CLASSES_ROOT\Folder\shell\open\command "(Default)"

It is changed from:

• %SystemRoot%\Explorer.exe /idlist,%I,%L

to:

• C:\WINNT\System32\BCfolder.exe explorer.exe /idlist,%I,%L

Additionally, the following Registry is modified, renaming the Recycle Bin on the victim machine:

•  HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
  "(Default)"

It is changed from:

• Recycle Bin

to:

• brutecode@yahoo.com
  

Similarly, the following key is also modified:

• HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
  "LocalizedString"

from:

• @C:\WINNT\system32\shell32.dll,-8964@1033,Recycle Bin

to:

• brutecode@yahoo.com

The following key data is removed:

• HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec
  "(Default)" = [ViewFolder("%l", %I, %S)]

Initial analysis suggests the trojan is also intended to alter the default start page of Internet Explorer, although this was not observed in testing.

The trojan contains the string:

Dedicated to : GOD'S_OWN_COUNTRY

Symptoms

Symptoms -

• Recycle bin renamed to brutecode@yahoo.com
• Registry settings altered as detailed above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A