McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection is for a downloading trojan that serves only to download and execute a remote file.

Once executed, it installs itself on the victim machine using deceptive file and folder names:

• c:\WINNT\system32\drivers\cd_load.exe
• c:\WINNT\system32\inetsrv\MSCStat.exe

The following Registry hooks are added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "CashToolbar" = C:\WINNT\system32\inetsrv\MSCStat.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "ClickTheButton" = C:\WINNT\system32\drivers\cd_load.exe

After a delay, the following fake error message is displayed:

Upon clicking OK, the trojan attempts to download remote files.

Symptoms

See above. This downloader trojan serves to download and execute remote files.

Method of Infection

This downloader trojan serves to download and execute remote files.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a downloading trojan that serves only to download and execute a remote file.

Once executed, it installs itself on the victim machine using deceptive file and folder names:

• c:\WINNT\system32\drivers\cd_load.exe
• c:\WINNT\system32\inetsrv\MSCStat.exe

The following Registry hooks are added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "CashToolbar" = C:\WINNT\system32\inetsrv\MSCStat.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "ClickTheButton" = C:\WINNT\system32\drivers\cd_load.exe

After a delay, the following fake error message is displayed:

Upon clicking OK, the trojan attempts to download remote files.

Symptoms

Symptoms -

See above. This downloader trojan serves to download and execute remote files.

Method of Infection

Method of Infection -

This downloader trojan serves to download and execute remote files.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A