McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Downloader.FHB - Panda

• Trojan W32/DLoader.GPT - Norman

• Trojan-Downloader.Win32.Small.bhs -Kaspersky

• Trojan.DownLoader.4499 - Dr.Web

• W32/Downloader.URB - F-Secure

• Win32/TrojanDownloader.Small.BEH - Nod32

Characteristics

Downloader-XT is a downloader Trojan consisting of a server component and a server editor component. The characteristics of this Trojan with regards to the file names, files downloaded, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The server editor component is also used for the following:

• Configure the link for the files to be downloaded
• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Configure a fake error message to be displayed when the server is executed

Server Component:

When the server component is executed, it downloads the files from the URLs pre-configured by the attacker. The downloader by itself doesn’t create any startup registry entries, and hence doesn’t execute on system startup.

Miscellaneous Information:

The author’s intended name for this downloader Trojan is “SIS-Downloader”

Symptoms

Desktop firewall program alerting that a foreign program is trying to access the internet

Method of Infection

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trj/Downloader.FHB - Panda

• Trojan W32/DLoader.GPT - Norman

• Trojan-Downloader.Win32.Small.bhs -Kaspersky

• Trojan.DownLoader.4499 - Dr.Web

• W32/Downloader.URB - F-Secure

• Win32/TrojanDownloader.Small.BEH - Nod32

Characteristics

Characteristics -

Downloader-XT is a downloader Trojan consisting of a server component and a server editor component. The characteristics of this Trojan with regards to the file names, files downloaded, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Server Editor Component:

The server editor component is used by the attacker to create the server component.

The server editor component is also used for the following:

• Configure the link for the files to be downloaded
• Change the Icon for the server created, to make it look legitimate
• Bind the server with another legitimate executable
• Configure a fake error message to be displayed when the server is executed

Server Component:

When the server component is executed, it downloads the files from the URLs pre-configured by the attacker. The downloader by itself doesn’t create any startup registry entries, and hence doesn’t execute on system startup.

Miscellaneous Information:

The author’s intended name for this downloader Trojan is “SIS-Downloader”

Symptoms

Symptoms -

Desktop firewall program alerting that a foreign program is trying to access the internet

Method of Infection

Method of Infection -

• Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial
• Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems
• Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A