Content

Del-457

Type
Trojan
SubType
Win32
Discovery Date
08/25/2004
Length
Varies
Minimum DAT
4388 (08/25/2004)
Updated DAT
4388 (08/25/2004)
Minimum Engine
5.1.00
Description Added
08/25/2004
Description Modified
08/31/2004 3:23 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This trojan is downloaded as part of an adware application, which is detected as Adware-Virtumondo application .  This file purports to be an adware remover, but removes several files and registry entries not just associated with adware applications.

Installation

This trojan is placed on the local system by the adware downloader application.  The downloader did not automatically execute the file in a test environment, it had to be manually run.  It does not create any registry entries to restart itself, so once it's been run it will not run itself again.

Registry Changes

When run, this trojan changed or removed data from many registry entries. 

The following registry entries had data that was changed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "AppData"
    New data: C:\Documents and Settings\LocalService\Application Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Cache"
    New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Cookies"
    New data: C:\Documents and Settings\LocalService\Cookies
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "History"
    New data: C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Local AppData"
    New data: C:\Documents and Settings\LocalService\Local Settings\Application Data

The following registries had their data removed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Administrative Tools"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Desktop"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Favorites"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "My Music"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "My Pictures"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "NetHood"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Personal"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "PrintHood"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Programs"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Recent"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "SendTo"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Start Menu"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Startup"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Templates"

File Deletion

Any instances of files named Setup.exe in any directory, or Readme.txt in Program Files sub-directories were deleted upon running this trojan.  The following DLL files were also removed from the Windows System directory:

  • cd_clint.dll
  • cd_htm.dll

Symptoms

  • Changes to the registry entries listed above
  • Removal of the files listed above

Method of Infection

As the adware downloader is set to run each time the affected system is restarted, it will continue to download the trojan until the adware application has been removed.  As the trojan is not automatically executed by the downloader, this means the trojan may be present and detected without it ever having been run, and thus the affected system would not have been damaged.

For removal instructions for the adware application, please see the Adware-Virtumondo application  description.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan is downloaded as part of an adware application, which is detected as Adware-Virtumondo application .  This file purports to be an adware remover, but removes several files and registry entries not just associated with adware applications.

Installation

This trojan is placed on the local system by the adware downloader application.  The downloader did not automatically execute the file in a test environment, it had to be manually run.  It does not create any registry entries to restart itself, so once it's been run it will not run itself again.

Registry Changes

When run, this trojan changed or removed data from many registry entries. 

The following registry entries had data that was changed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "AppData"
    New data: C:\Documents and Settings\LocalService\Application Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Cache"
    New data: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Cookies"
    New data: C:\Documents and Settings\LocalService\Cookies
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "History"
    New data: C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Local AppData"
    New data: C:\Documents and Settings\LocalService\Local Settings\Application Data

The following registries had their data removed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Administrative Tools"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Desktop"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Favorites"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "My Music"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "My Pictures"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "NetHood"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Personal"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "PrintHood"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Programs"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Recent"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "SendTo"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Start Menu"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Startup"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Shell Folders "Templates"

File Deletion

Any instances of files named Setup.exe in any directory, or Readme.txt in Program Files sub-directories were deleted upon running this trojan.  The following DLL files were also removed from the Windows System directory:

  • cd_clint.dll
  • cd_htm.dll

Symptoms

Symptoms -

  • Changes to the registry entries listed above
  • Removal of the files listed above

Method of Infection

Method of Infection -

As the adware downloader is set to run each time the affected system is restarted, it will continue to download the trojan until the adware application has been removed.  As the trojan is not automatically executed by the downloader, this means the trojan may be present and detected without it ever having been run, and thus the affected system would not have been damaged.

For removal instructions for the adware application, please see the Adware-Virtumondo application  description.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A