Content

MultiDropper-JW

Type
Trojan
SubType
Dropper
Discovery Date
03/18/2004
Length
Various
Minimum DAT
4340 (03/22/2004)
Updated DAT
4340 (03/22/2004)
Minimum Engine
5.1.00
Description Added
03/19/2004
Description Modified
03/19/2004 8:29 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a trojan intended to drop malware onto the victim machine. The threat consists of multiple components:

A HTML file containing an encoded VBS script. This HTML file is know to have been spammed out to users as an email attachment:

  • EXCHANGERS.ZIP (10,209 bytes), containing:
  • EXCHANGERS.HTM (18,364 bytes)

The following page is visible when the HTML file is viewed:

The VBS within the HTML file is detected as VBS/MultiDropper-JW.gen with the specified engine/DATs. The script drops (and executes) an EXE file on the victim machine:

  • NOTEPAD.EXE (7,168 bytes)

This EXE is detected as MultiDropper-JW with the specified engine/DATs. When run, this EXE drops another EXE:

  • %WinDir%\USERINIT.EXE (14,336 bytes)

This EXE is also detected as MultiDropper-JW with the specified engine/DATs. When run, it drops another trojan onto the victim machine:

  • %WinDir%\CSRSS.EXE (11,264 bytes)

CSRSS.EXE is detected as StartPage-CG with the specified engine/DATs.


Please Note: There is a legitimate system file with the filename CSRSS.EXE within the Windows system directory.

The following Registry key is modified in order to drop/execute the trojan CSRSS.EXE upon system reboot:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon "userinit"

is changed from:

  • %SysDir%\USERINIT.EXE

to:

  • %WinDir%\USERINIT.EXE

Additionally, the StartPage-CG trojan alters the security settings of Internet Explorer. Values within the following key are altered:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Internet Settings\Zones\3

The following are all set to equal 0x00000000 :

  • "1001"
  • "1004"
  • "1200"
  • "1201"
  • "1405"
  • "1406"

Symptoms

Existence of the files and Registry keys detailed above.

Method of Infection

This detection is for a series of components which are intended to deliver malware to the victim machine.

The threat is likely to be received via a spammed out email message. The message has a ZIP attachment containing a HTML file containing an encoded VBS script. Once run, this script commences the process of installing the trojan on the victim machine.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • VBS/MultiDropper-JW.gen

Characteristics

Characteristics -

This detection is for a trojan intended to drop malware onto the victim machine. The threat consists of multiple components:

A HTML file containing an encoded VBS script. This HTML file is know to have been spammed out to users as an email attachment:

  • EXCHANGERS.ZIP (10,209 bytes), containing:
  • EXCHANGERS.HTM (18,364 bytes)

The following page is visible when the HTML file is viewed:

The VBS within the HTML file is detected as VBS/MultiDropper-JW.gen with the specified engine/DATs. The script drops (and executes) an EXE file on the victim machine:

  • NOTEPAD.EXE (7,168 bytes)

This EXE is detected as MultiDropper-JW with the specified engine/DATs. When run, this EXE drops another EXE:

  • %WinDir%\USERINIT.EXE (14,336 bytes)

This EXE is also detected as MultiDropper-JW with the specified engine/DATs. When run, it drops another trojan onto the victim machine:

  • %WinDir%\CSRSS.EXE (11,264 bytes)

CSRSS.EXE is detected as StartPage-CG with the specified engine/DATs.


Please Note: There is a legitimate system file with the filename CSRSS.EXE within the Windows system directory.

The following Registry key is modified in order to drop/execute the trojan CSRSS.EXE upon system reboot:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon "userinit"

is changed from:

  • %SysDir%\USERINIT.EXE

to:

  • %WinDir%\USERINIT.EXE

Additionally, the StartPage-CG trojan alters the security settings of Internet Explorer. Values within the following key are altered:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Internet Settings\Zones\3

The following are all set to equal 0x00000000 :

  • "1001"
  • "1004"
  • "1200"
  • "1201"
  • "1405"
  • "1406"

Symptoms

Symptoms -

Existence of the files and Registry keys detailed above.

Method of Infection

Method of Infection -

This detection is for a series of components which are intended to deliver malware to the victim machine.

The threat is likely to be received via a spammed out email message. The message has a ZIP attachment containing a HTML file containing an encoded VBS script. Once run, this script commences the process of installing the trojan on the victim machine.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A