McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Dialer.26.BJ (Grisoft)

• Download.Trojan (Symantec)

• Net-Worm.Win32.Shelp.A (Ikarus)

• TR/Dldr.Small.aui (H+BEDV)

• Trj/Downloader.BRU (Panda)

• Troj/SecondT-C (Sophos)

• TROJ_SMALL.APS (Trend)

• Trojan-Downloader.Win32.Small.aui (Kaspersky)

• TrojanDownloader.Win32.Small.Aui (Prognet)

• TrojanDownloader:Win32/Small.ABK (Gecad)

• W32/DLoader.EOB (Norman)

Characteristics

Detection was added to cover for a malicious 32 bit PE file having a filesize of 11776 bytes. The file is internally compressed with upx.

The filename is not fixed, it can be anything, a deceiving filename is usually chosen when it is mass-spammed out by its creators.

The mailing out is a manual process sending to a large collected e-mail address list, there's no automatic spreading by e-mail involved with this sample.

Upon receiving a fake deceiving e-mail message, the user has to manually launch the attachment before it activates. There's no exploit associated with it.

Upon running, it connects to the web addresses: "restore----now.biz " and "restore----now.info " from which it may download arguable programs such as adware. The exact webaddresses are omitted on purpose here.

Symptoms

• Presence of a file with matching filesize
• Connects immediately to the mentioned webaddresses
• Downloads other files such as adware from there

Method of Infection

• Upon receiving a fake e-mail message, the user has to manually launch the attachment before it activates. There's no exploit associated with it.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Dialer.26.BJ (Grisoft)

• Download.Trojan (Symantec)

• Net-Worm.Win32.Shelp.A (Ikarus)

• TR/Dldr.Small.aui (H+BEDV)

• Trj/Downloader.BRU (Panda)

• Troj/SecondT-C (Sophos)

• TROJ_SMALL.APS (Trend)

• Trojan-Downloader.Win32.Small.aui (Kaspersky)

• TrojanDownloader.Win32.Small.Aui (Prognet)

• TrojanDownloader:Win32/Small.ABK (Gecad)

• W32/DLoader.EOB (Norman)

Characteristics

Characteristics -

Detection was added to cover for a malicious 32 bit PE file having a filesize of 11776 bytes. The file is internally compressed with upx.

The filename is not fixed, it can be anything, a deceiving filename is usually chosen when it is mass-spammed out by its creators.

The mailing out is a manual process sending to a large collected e-mail address list, there's no automatic spreading by e-mail involved with this sample.

Upon receiving a fake deceiving e-mail message, the user has to manually launch the attachment before it activates. There's no exploit associated with it.

Upon running, it connects to the web addresses: "restore----now.biz " and "restore----now.info " from which it may download arguable programs such as adware. The exact webaddresses are omitted on purpose here.

Symptoms

Symptoms -

• Presence of a file with matching filesize
• Connects immediately to the mentioned webaddresses
• Downloads other files such as adware from there

Method of Infection

Method of Infection -

• Upon receiving a fake e-mail message, the user has to manually launch the attachment before it activates. There's no exploit associated with it.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A