Content

Generic MultiDropper.d

Type
Trojan
SubType
Win32
Discovery Date
03/08/2005
Length
varies
Minimum DAT
4425 (02/02/2005)
Updated DAT
5765 (10/08/2009)
Minimum Engine
5.1.00
Description Added
02/02/2005
Description Modified
05/13/2008 11:51 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update on May 13, 2008 --

Upon execution, a new variant of Generic Multidropper.d dropps the following files and folder:

  • %Windir%\System32\wsnpoem\ (hidden folder)
  • %Windir%\System32\wsnpoem\audio.dll (hidden data file)
  • %Windir%\System32\wsnpoem\video.dll (hidden data file)
  • %Windir%\System32\ntos.exe (hidden file, identified as Spy-Agent.bw trojan)

(Where %Windir% is the Windows folder; C:\Windows)

  • %USER_PROFILES%\Local Settings\Temp\cc4531.exe (identified as Generic FakeAlert trojan)
    %USER_PROFILE%\Local Settings\Temp\crypt.exe (identified as Spy-Agent.bw trojan)

(Where %USER_PROFILE% is the default user profile folder, such as C:\Documents and Settings\Administrator if the current user is Administrator.)

It or its dropped components attempt to connect with the following servers:

  • razvlekalovo.net
  • service-porn.com
  • protect.antispywarecontrol.com

----------------------

The Generic Multidropper.d may be different with each variant.  For this particular version, it is dropping the Adware-Softomate and Adware-IWantSearch files onto the infected system.

Upon execution, the following files are dropped onto the infected system:

  • Activate.exe (detected as Generic Toolbar.b, 35,840 bytes)
  • MyToolBar.dll (detected as Adware-IWantSearch, 96,768 bytes)
  • services.dll (detected as Generic Toolbar.b, 6,144 bytes)
  • Update.exe (detected as Generic Toolbar.b, 14,336 bytes)

The following registry entries are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    "{B4EAC516-07C9-2057-0729-050001}" =
    "C:\Program Files\Common Files\{B4EAC516-07C9-2057-0729-050001}\Update.exe"
    mc-110-12-0001120"

 

Symptoms

  • Existence of files and registry keys mentioned on the Charateristics tab

Method of Infection

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE)

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a description for the Generic Multidropper.d trojan detection. As with most multidropper trojans, the main focus of this trojan is to drop various Adware or malware files onto the infected system such as this detection that drops several versions of Adware on to the local system.

Characteristics

Characteristics -

-- Update on May 13, 2008 --

Upon execution, a new variant of Generic Multidropper.d dropps the following files and folder:

  • %Windir%\System32\wsnpoem\ (hidden folder)
  • %Windir%\System32\wsnpoem\audio.dll (hidden data file)
  • %Windir%\System32\wsnpoem\video.dll (hidden data file)
  • %Windir%\System32\ntos.exe (hidden file, identified as Spy-Agent.bw trojan)

(Where %Windir% is the Windows folder; C:\Windows)

  • %USER_PROFILES%\Local Settings\Temp\cc4531.exe (identified as Generic FakeAlert trojan)
    %USER_PROFILE%\Local Settings\Temp\crypt.exe (identified as Spy-Agent.bw trojan)

(Where %USER_PROFILE% is the default user profile folder, such as C:\Documents and Settings\Administrator if the current user is Administrator.)

It or its dropped components attempt to connect with the following servers:

  • razvlekalovo.net
  • service-porn.com
  • protect.antispywarecontrol.com

----------------------

The Generic Multidropper.d may be different with each variant.  For this particular version, it is dropping the Adware-Softomate and Adware-IWantSearch files onto the infected system.

Upon execution, the following files are dropped onto the infected system:

  • Activate.exe (detected as Generic Toolbar.b, 35,840 bytes)
  • MyToolBar.dll (detected as Adware-IWantSearch, 96,768 bytes)
  • services.dll (detected as Generic Toolbar.b, 6,144 bytes)
  • Update.exe (detected as Generic Toolbar.b, 14,336 bytes)

The following registry entries are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    "{B4EAC516-07C9-2057-0729-050001}" =
    "C:\Program Files\Common Files\{B4EAC516-07C9-2057-0729-050001}\Update.exe"
    mc-110-12-0001120"

 

Symptoms

Symptoms -

  • Existence of files and registry keys mentioned on the Charateristics tab

Method of Infection

Method of Infection -

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE)

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A