McAfee > Theat Center > Virus Detail Page

Overview

--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Resex-Fam

• Win32/Twores.gen

Characteristics

-- Update August 26, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/08/26/baby_kidnap_trojan/

--

This trojan is delivered via an email message containing the following information: 

Subject: We have hijacked your baby

Body:
Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…
We has attached photo of your fume

When run the following files are added to the system:

%CommonAppData%\Microsoft\Network\Downloader\qmgr0.dat

%CommonAppData%\Microsoft\Network\Downloader\qmgr1.dat

%Temp%\D2.tmp

 %Temp%\D4.tmp

%Temp%\LOADER.1312D7D.EXE

Connects to the following internet domain to download additional files using the MS Background Intelligent Transfer Service

reddii.org

Symptoms

Existence of the files mentioned above.

Unexplained network traffic to reddii.org

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. This trojans only observed distribution channel to date is as an attachment to the email described above.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update August 26, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/08/26/baby_kidnap_trojan/

--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Resex-Fam

• Win32/Twores.gen

Characteristics

Characteristics -

-- Update August 26, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/08/26/baby_kidnap_trojan/

--

This trojan is delivered via an email message containing the following information: 

Subject: We have hijacked your baby

Body:
Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…
We has attached photo of your fume

When run the following files are added to the system:

%CommonAppData%\Microsoft\Network\Downloader\qmgr0.dat

%CommonAppData%\Microsoft\Network\Downloader\qmgr1.dat

%Temp%\D2.tmp

 %Temp%\D4.tmp

%Temp%\LOADER.1312D7D.EXE

Connects to the following internet domain to download additional files using the MS Background Intelligent Transfer Service

reddii.org

Symptoms

Symptoms -

Existence of the files mentioned above.

Unexplained network traffic to reddii.org

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. This trojans only observed distribution channel to date is as an attachment to the email described above.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A