McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Nabload.U (Panda)

Characteristics

A new variant has been observed which arrives through email, embedded in the attached rtf file.

Once executed it creates a copy of itself in:

• %UserProfile%\Application Data\wks.exe 

(where %UserProfile% is a variable location and refers to the user's profile folder.)
 
and creates the registry entry:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
Windows32KernelStart = ""%UserProfile%\Application Data\wks.exe""

It then attempts to connect to the following url:

• 12oaks.net/[blocked]/index.php
• bluegorillamedia.net/[blocked]/ActiveContent/index.php
• abfforms.com/[blocked]/index.php

At the time of writing no malware was downloaded on the said site.

-- Update March 05, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.scmagazineus.com/Phishing-lures-draw-recipients-to-fake-video-of-dead-Castro/article/107532/

-- Update March 04, 2008 --

A new variant of Generic Downloader.c has been observed which spreads via phishing email purporting from Univision, a major Hispanic TV network. The threat downloads an additional password-stealing component.  Full details on this new variant are below.  For further information on the Generic Download family, please refer to the Generic Downloader description.

Upon execution, the trojan opens the following web page:

It connects the following remote urls to download additional malwares:

• www.understandinghealthcare.com
• www.redeuniversidade.com.br
• www.hywic.co.uk

The downloaded malware(identified as Generic PWS.y) is saved as 

%WinDir%\services.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Registry key  is modified to hook system startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell= "Explorer.exe %WinDir%\services.exe"

The trojan also drops the copies of the downloaded malwares into P2P shared folders, such as

%imesh%\my shared folder\adaware2008full.rar.scr
%imesh%\my shared folder\Ahead_Nero_9_new!_full+crack.zip.scr
%imesh%\my shared folder\antispyware.rar.scr
%imesh%\my shared folder\antivirus.rar.scr

(where %imesh% is the installation directory of IMESH.)

-- Update December 28, 2007 --

A new variant of Generic Downloader.c has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

-- Update December 30, 2005 --

A new variant of Generic Downloader.c has been observed which spreads via MSN Messenger and downloads an additional password-stealing component.  Full details on this new variant are below.  For further information on the Generic Download family, please refer to the Generic Downloader description.

DNS Queries

• hometown.aol.com.au

System Changes

Files Added

• c:\documents and settings\%USER%\local settings\temporary
  internet files\content.ie5\ktx34vgq\coco2006[1].jpg
  
• %WINDIR%\system32\service\service.dll
• c:\documents and settings\%USER%\local settings\temp
  \391670.dmp
  
• %WINDIR%\system32\service\navupdt.exe
• c:\documents and settings\%USER%\local settings\temp
  \wer2.tmp.dir00\appcompat.txt
  

Registry

The following registry keys are written:

• hkey_current_user\software\microsoft\windows\currentversion
  \internet settings\zonemap\\intranetname="1"
  
• hkey_current_user\software\microsoft\windows\currentversion
  \internet settings\zonemap\\uncasintranet="1"
  
• hkey_current_user\software\microsoft\windows\currentversion
  \internet settings\zonemap\\proxybypass="1"
  

Symptoms

The applications creates the following network connection(s):

• navupdt.exe server:hometown.aol.com.au port:80

Method of Infection

This worm spreads via MSN Messenger.  The local MSN Messenger contact list is used to gather recipients for the instant messages.  The additional password-stealing component, PWS-Banker.gen.d, is responsible for sending the instant messages.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update June 5, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://isc.sans.org/diary.html?storyid=6511&rss
--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Nabload.U (Panda)

Characteristics

Characteristics -

A new variant has been observed which arrives through email, embedded in the attached rtf file.

Once executed it creates a copy of itself in:

• %UserProfile%\Application Data\wks.exe 

(where %UserProfile% is a variable location and refers to the user's profile folder.)
 
and creates the registry entry:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
Windows32KernelStart = ""%UserProfile%\Application Data\wks.exe""

It then attempts to connect to the following url:

• 12oaks.net/[blocked]/index.php
• bluegorillamedia.net/[blocked]/ActiveContent/index.php
• abfforms.com/[blocked]/index.php

At the time of writing no malware was downloaded on the said site.

-- Update March 05, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.scmagazineus.com/Phishing-lures-draw-recipients-to-fake-video-of-dead-Castro/article/107532/

-- Update March 04, 2008 --

A new variant of Generic Downloader.c has been observed which spreads via phishing email purporting from Univision, a major Hispanic TV network. The threat downloads an additional password-stealing component.  Full details on this new variant are below.  For further information on the Generic Download family, please refer to the Generic Downloader description.

Upon execution, the trojan opens the following web page:

It connects the following remote urls to download additional malwares:

• www.understandinghealthcare.com
• www.redeuniversidade.com.br
• www.hywic.co.uk

The downloaded malware(identified as Generic PWS.y) is saved as 

%WinDir%\services.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Registry key  is modified to hook system startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell= "Explorer.exe %WinDir%\services.exe"

The trojan also drops the copies of the downloaded malwares into P2P shared folders, such as

%imesh%\my shared folder\adaware2008full.rar.scr
%imesh%\my shared folder\Ahead_Nero_9_new!_full+crack.zip.scr
%imesh%\my shared folder\antispyware.rar.scr
%imesh%\my shared folder\antivirus.rar.scr

(where %imesh% is the installation directory of IMESH.)

-- Update December 28, 2007 --

A new variant of Generic Downloader.c has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

-- Update December 30, 2005 --

A new variant of Generic Downloader.c has been observed which spreads via MSN Messenger and downloads an additional password-stealing component.  Full details on this new variant are below.  For further information on the Generic Download family, please refer to the Generic Downloader description.

DNS Queries

• hometown.aol.com.au

System Changes

Files Added

• c:\documents and settings\%USER%\local settings\temporary
  internet files\content.ie5\ktx34vgq\coco2006[1].jpg
  
• %WINDIR%\system32\service\service.dll
• c:\documents and settings\%USER%\local settings\temp
  \391670.dmp
  
• %WINDIR%\system32\service\navupdt.exe
• c:\documents and settings\%USER%\local settings\temp
  \wer2.tmp.dir00\appcompat.txt
  

Registry

The following registry keys are written:

• hkey_current_user\software\microsoft\windows\currentversion
  \internet settings\zonemap\\intranetname="1"
  
• hkey_current_user\software\microsoft\windows\currentversion
  \internet settings\zonemap\\uncasintranet="1"
  
• hkey_current_user\software\microsoft\windows\currentversion
  \internet settings\zonemap\\proxybypass="1"
  

Symptoms

Symptoms -

The applications creates the following network connection(s):

• navupdt.exe server:hometown.aol.com.au port:80

Method of Infection

Method of Infection -

This worm spreads via MSN Messenger.  The local MSN Messenger contact list is used to gather recipients for the instant messages.  The additional password-stealing component, PWS-Banker.gen.d, is responsible for sending the instant messages.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A