McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan-Downloader.Win32.Small.afb (AVP)

Characteristics

This downloader trojan is itself download, via an HTA file (named Microsoft Office.hta and is detected with the current DAT files as VBS/Psyme ) that is believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

The exploit is believed to save the file Microsoft Office.hta to the startup directory.  Upon reboot, this files downloads a remote file named server.exe, saves it to the local system as c:\malware.exe , and executes the downloaded file. malware.exe is the Downloader-to trojan.

Once run, this trojan adds itself to the Windows XP SP2 authorized applications firewall policy list (as cmsscs ).  It also adds an entry for the file that it downloads (C:\WINDOWS\tgbcde\module32.exe as module32 ).

The trojan attempts to terminates firewall processes that may prevent it from functioning:

• ccapp.exe
• zapro.exe
• armor2net.exe
• ZAPRO.EXE
• amon.exe
• MpfService.exe
• zonealarm.exe
• outpost.exe
• firewall.exe
• atguard.exe
• tpfw.exe
• kpf4ss.exe
• NPROTECT.EXE

Finally the trojan downloads a file, via HTTP, from 67.15.113.23 and executes it.  At the time of this writing, the downloaded file contained a proxy server trojan.

Symptoms

• Presence of unexpected entry in Windows XP SP2 authorized application firewall policy list.
• Presence of file c:\malware.exe

Method of Infection

This trojan is believed to be installed via a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan-Downloader.Win32.Small.afb (AVP)

Characteristics

Characteristics -

This downloader trojan is itself download, via an HTA file (named Microsoft Office.hta and is detected with the current DAT files as VBS/Psyme ) that is believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

The exploit is believed to save the file Microsoft Office.hta to the startup directory.  Upon reboot, this files downloads a remote file named server.exe, saves it to the local system as c:\malware.exe , and executes the downloaded file. malware.exe is the Downloader-to trojan.

Once run, this trojan adds itself to the Windows XP SP2 authorized applications firewall policy list (as cmsscs ).  It also adds an entry for the file that it downloads (C:\WINDOWS\tgbcde\module32.exe as module32 ).

The trojan attempts to terminates firewall processes that may prevent it from functioning:

• ccapp.exe
• zapro.exe
• armor2net.exe
• ZAPRO.EXE
• amon.exe
• MpfService.exe
• zonealarm.exe
• outpost.exe
• firewall.exe
• atguard.exe
• tpfw.exe
• kpf4ss.exe
• NPROTECT.EXE

Finally the trojan downloads a file, via HTTP, from 67.15.113.23 and executes it.  At the time of this writing, the downloaded file contained a proxy server trojan.

Symptoms

Symptoms -

• Presence of unexpected entry in Windows XP SP2 authorized application firewall policy list.
• Presence of file c:\malware.exe

Method of Infection

Method of Infection -

This trojan is believed to be installed via a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A