Content
Downloader-KP
- Type
- Trojan
- SubType
- Dropper
- Discovery Date
- 05/27/2004
- Length
- 1,136 Bytes (Packed) 16,909 Bytes (Unpacked)
- Minimum DAT
- 4364 (06/02/2004)
- Updated DAT
- 4696 (02/14/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 05/27/2004
- Description Modified
- 06/10/2004 3:30 AM (PT)
Tab Navigation
Characteristics
This is not an email virus. This downloader trojan arrives in a file named msstasks.exe (FSG-packed).
The following files are downloaded upon execution of the file mentioned above:
| msrexe.exe | 31,774 bytes | BackDoor-AML trojan |
| tmp001.exe | 1,152 bytes | Downloader-KP (FSG packed ) trojan |
| tmp1.exe | 11,296 bytes | DDoS-Decill trojan |
| child.dll | 8,192 bytes | Downlaoder-GS |
| aux.exe | 64,380 bytes | Still under analysis |
The following registry entries were made:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"aux.exe" = "aux.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"System Service" = "msrexe.exe" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Swartax
"ImagePath" = "msrexe.exe" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
"aux.exe" = "aux.exe" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Swartax
"ImagePath" = "msrexe"
Symptoms
- Presence of the files listed above
- Precence of the registry entries listed above
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.
Removal
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This is not an email virus. This downloader trojan arrives in a file named msstasks.exe (FSG-packed).
The following files are downloaded upon execution of the file mentioned above:
| msrexe.exe | 31,774 bytes | BackDoor-AML trojan |
| tmp001.exe | 1,152 bytes | Downloader-KP (FSG packed ) trojan |
| tmp1.exe | 11,296 bytes | DDoS-Decill trojan |
| child.dll | 8,192 bytes | Downlaoder-GS |
| aux.exe | 64,380 bytes | Still under analysis |
The following registry entries were made:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"aux.exe" = "aux.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"System Service" = "msrexe.exe" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Swartax
"ImagePath" = "msrexe.exe" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
"aux.exe" = "aux.exe" - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Swartax
"ImagePath" = "msrexe"
Symptoms
Symptoms -
- Presence of the files listed above
- Precence of the registry entries listed above
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A