Content

Generic Downloader.z

Type
Trojan
SubType
Win32
Discovery Date
03/30/2005
Length
Varies
Minimum DAT
4458 (03/30/2005)
Updated DAT
6595 (01/20/2012)
Minimum Engine
5.4.00
Description Added
03/30/2005
Description Modified
12/09/2011 11:26 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Updated on Dec 10, 2011 ----

Aliases –

    • Emsisoft - Trojan.Win32.Refroso!IK
    • Ikarus - Trojan.Win32.Refroso
    • Kaspersky - Trojan.Win32.Inject.cbtt

Upon execution, the Trojan copies itself into the below mentioned location and injects its malicious code into the legitimate process WUAUCLT.EXE to perform further malicious activity.

    • %AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe

The following registry keys have been added
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Visual Basic\6.0

The following registry value has been added
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
      44258 = "%AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe"

The above mentioned registry entry confirms that, the Trojan executes every time when windows starts

Also the Trojan creates the following mutex inorder to execute only one instance of Trojan at a time

    • 951725031

After execution, the source Trojan deletes itself from the system

The Trojan adds the following folder to the system

%AllUsersprofile%s\Local Settings\Temp

Note – [%AllUsersprofile%- C:\Documents and Settings\All Users]

------

 

--Updated on November 17, 2011--

Aliases

  • Kaspersky - Trojan-Downloader.Win32.Deliver.mc
  • Ikarus        - Trojan-Downloader.Win32.Chepvil
  • NOD32      - Win32/TrojanDownloader.Chepvil.A
  • Microsoft - TrojanDownloader:Win32/Chepvil.N

When executed the Trojan deletes itself.

And drop the following file.

  • %Temp%\piety.exe

Once executed the Trojan tries to connect to the following sites:

  • justdo[Removed]ain2.ru
  • onemor[Removed]ehi.ru

After connected to the above sites the Trojan perform following malicious activities.

  • Download and executes other malicious files.
  • Steals the sensitive information and send it to the attacker.
  • Receives commands from the attacker.

-----------------------------------------------------

--Updated on September 9th, 2011--

Aliases

  • Kaspersky - Trojan.Win32.Yakes.chh
  • NOD32     - Win32/TrojanDownloader.Agent.QVB
  • Symantec   - Trojan.FakeAV
  • Microsoft   - TrojanDownloader:Win32/Cbeplay.O

Generic Downloader.z is detection for this trojan that silently downloads and installs rogue antivirus without user consent.

Upon execution the Trojan injects itself with svchost.exe and tries to connect to the IP address 173.255.[Removed].28 through a remote port 80 and downloads the Fakeav.

The Fakeav would run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.

 

When executed the Trojan drops the file into the following location.

  • %ALLUsersprofile%\application data\[Random_name]\[Random_name].exe

The following registry value has been added.

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
    “[Random_name]” = "%ALLUsersprofile%\application data\[Random_name]\[Random_name].exe"

The above mentioned registry ensures that the Trojan registers itself as a run entry with the compromised system and execute upon every reboot.

--- Updated on August 9, 2011 ---

File Information:

MD5: 0AF7DB6B11A559C27B5BDE4656818578
SHA1: b04d74741022e5599b30986aa02b202aa5f14642

When this sample is executed, it will connect to the URL below to download Generic Dropper.p

. hxxp://ww[removed].com/2ff.exe

The sample is downloaded to the user's %TEMP% directory. This folder is usually located under C:\Documents and Settings\user\Local Settings\Temp

After downloading the URL above, the malware will execute it and exit

---

---- Updated July 15, 2011 ------File Information -

  • MD5 - f4403d6dc9c00ef4498d1b4399eb190c
  • SHA - 8df650d53fb7c5eee6017070ef4d54ae4f9728bb

Aliases -

  • Kaspersky - Worm.Win32.AutoIt.tq
  • NOD32 - Win32/Virut.NBP
  • Symantec - W32.Imaut
  • Microsoft - Worm:AutoIt/Helompy.A

“Generic Downloader.z“ attempts to copies of itself in any inserted usb disk, in the names of existing folders and the folders in the removable drive are made hidded.

When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registry Values has been added to the system.

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    run32 = "%UserProfile%\Desktop\lsass.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000

[Note : %UserProfile% -  C:\Documents and Settings\Administrator]

----------------------------

---- Updated July 13, 2011 ------

File Information -

  • MD5 - E58C868EC8E832DCE815FA69BB1B2BC4
  • SHA1 - AF4BE425DA9CBAF02C0A7126270231F33624EAB1

Aliases -

  • AVG - Downloader.Generic11.BGBB
  • Kaspersky - HEUR:Trojan.Win32.Generic
  • NOD32 - Win32/TrojanDownloader.Mebload.AL
  • Microsoft - PWS:Win32/Sinowal.gen!Y

"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.

Upon execution the Trojan connects to the following site "yu23t[removed].com" through port 80 to download other malicious files.

Also it drops the following files.

  • %Temp%\6.tmp
  • %Temp%\7.tmp

The following registry key has been created.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Linkage
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\DNSRegisteredAdapters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\PersistentRoutes
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Winsock
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Performance
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\ServiceProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Security

The following registry values have been created.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\LLInterface = ""
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\IpConfig = 'Tcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}'
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp]
    LLInterface = "WANARP"
    IpConfig = 'Tcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5} Tcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}'
    NumInterfaces = 0x00000002
    IpInterfaces = [binary data]

The Trojan creates the following mutex.

  • abc123333ppo

Also it connects to the following sites.

  • ydks[removed].com
  • svqbshk[removed].org
  • ns[removed]khole.org
  • utib[removed].net
  • ydk[removed].net
  • uby[removed].com
  • tuc[removed].com

[Note : %Temp% -  C:\Documents and Settings\[UserName]\Local Settings\Temp\]

----------------

---- Updated July 09, 2011 ------

File Information -

  • MD5 - A1F6FDC9E95461A55BC0DF33970BE2D8
  • SHA1 - 2D6C9E8B7F7CC2D10584AA54C197B49A8523062A

Aliases -

  • AntiVir - TR/Downloader.Gen
  • AVG - Agent2.CIFT
  • Ikarus - Gen.Trojan.Heur
  • NOD32 - a variant of Win32/Agent.SFJ

"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.

Upon execution the Trojan connects to the following site "dete[removed].net" to download other malicious files.

Also it drops the following file.

  • %Temp%\upd[random].tmp

The following registry key has been created.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager

The following registry values have been created.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager]
    AppID = 0xE70B7655
    Enable = 0x00000001

[Note : %Temp% -  C:\Documents and Settings\[UserName]\Local Settings\Temp\]

-----------------------------------

---- Updated Nov 20, 2010 ------

File Information:

    • MD5 - 54f9f6dd8fbbd40ff61ed66fc9a0ac4f
    • SHA1 -: 47f02a3ad00ef204a6f8cc1612bec28a61b26ebf

Aliases:

  • Comodo - TrojWare.Win32.Trojan.Agent.Gen
  • K7AntiVirus - Trojan-Downloader
  • Kaspersky - Trojan-Downloader.Win32.Agent.fcyf
  • Microsoft - TrojanDownloader:Win32/Carberp.C

Generic.Downloader.Z“ is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.

Upon execution the Trojan copies itself into the below mentioned location
    • %UserProfile%\Start Menu\Programs\Startup\chkntfs.exe

It drops the following file

    • %AppData%\chkntfs.dat

After execution, the Trojan connects to the site "teenc[removed].us " and downloads the following malicious files.

    • %Temp%\2C.tmp
    • %Temp%\dwm.exe
    • %AppData%\329612.exe
    • %AppData%\Microsoft\svchost.exe
    • %UserProfile%\Local Settings\Application Data\329612.exe

The following registry key has been created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following registry values have been created
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
       svchost = “%AppData%\Microsoft\svchost.exe”
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
      329612 = ""%AppData%\329612.exe" 0 35 "

The above registry entries confirms that, the Trojan executes every time when windows starts

    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      ProxyServer = "http=127.0.0.1:50370"

The downloaded file “329612.exe” is fake security tool which has the same behavior of FakeAlert-SpyPro.gen.p.

Also it connects to the following malicious sites to download malicious files.

    • 92.241.[removed]
    • 91.213..[removed]
    • zone[removed].com
    • protectyourpc[removed].com through remote port  80
    • rotten[removed].net/hacked/installer1.exe

[Note : %UserProfile% - C:\Documents and Settings\ [UserName],
%AppData% - C:\Documents and Settings\[UserName]\Application Data,
%Temp% -  C:\Documents and Settings\[UserName]\Local Settings\Temp\]

----------

-----Updated September 8, 2010-----

File Information:

  • MD5 : 857CDA54AFAD92E0AA0EDE5B89669470
  • SHA : F88ADFDCA09876A7DB39676C55352C001C065B22

Aliases:

  • Kaspersky: Trojan-Downloader.JS.Iframe.oj
  • Avira: JS/Dldr.IFrame.BM
  • Microsoft: TrojanDownloader:JS/Psyme.gen

Characteristics :

"Generic Downloader.z" is javascript detection for malicious IFrames embedded on various legitimate websites. The javascript itself generally uses the String.fromCharCode method to generate the iframe HTML source from decimal Unicode values. document.write is then used to make the web browser render the iframe element within the victims web browser.

The inserted iframe usually contains the following elements

  • name=O1
  • Src : http://77.221.[removed]/.if/go.html
  • style=display: none

Symptoms :

At the time of this analysis the web server residing at the iframe src location was unavailable.

-------------- Update April 23 ------------------

File Information 

  • MD5 - BFF86B7779D77755355458ADB6C2DDEA
  • SHA1 - DDAAB5F5495BC038DD66665425234DC308B08957

Generic.Downloader.Z is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. It usually downloads a Trojan which sends spam. It also employs rootkits behavior and other defensive techniques to avoid detection and removal.

It attempts to connect to the following remote hosts to download malicious files.

  • 74.86.76. [removed]  through remote port 443
  • 210.171.131. [removed]

Upon execution, the Trojan copies itself into the following locations:

  • %windir%\system32\wuaucldt.exe detected as Generic Downloader.z
  • %UserProfile%\wuaucldt.exe detected as Generic Downloader.z

And it attempts to drop a device driver into the following location:

  • %windir%\system32\dllcache\cdrom.sys detected as Cutwail.gen.q

The Trojan uses advanced stealth (rootkit) functionality in order to hide its presence.

The following values added to the system:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    syncman = "%windir%\system32\wuaucldt.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    syncman = "%UserProfile%\wuaucldt.exe"

The above registry entry confirms that, wuaucldt.exe runs every time Windows starts:

The Trojan creates the following mutex

  • MsSyncronizationManager

It connects to the following sites to get user credentials and other information.

  • k.jfc.[removed]
  • sared[removed].br
  • ssl87[removed]br
  • bu[removed]ua
  • irt[removed]p
  • news[removed]o.jp
  • billbo[removed]r
  • foru[removed]g.ua
  • ston[removed]a
  • secu[removed]m.br
  • cent[removed]jp
  • cg.ce[removed].jp
  • maste[removed]ua
  • acc[removed]d.ua
  • loj[removed]br
  • ml[removed]p
  • ms[removed].ua
  • wow.mer[removed]rg.ua
  • apply.reed[removed]o.jp
  • forums.ub[removed]x.jp

-----------------------

-- Update March 11, 2010 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2010/03/11/playstation_emulator_malware/
--

A new variant of this thread have been discovered which tries to disguise itself as a bogus Playstation emulator.

This variant post sensitive information from the infected machine to several websites, and download and install more malicious files. All files downloaded by this program are already detected as FakeAlert-MA.gen

Upon execution, this malware shows the following behavior:

Tries to connect to the websites below to post data and request files to download:

  • angel[removed]arts.com
  • super[removed]media.com
  • best[removed]arts.com
  • dogart[removed].com
  • dancearts[removed].com
  • art[removed]world.com

Add the following key to registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98

Delete itself from disk

--

This is a generic detection for Downloader trojans.

For further information, please refer to the Generic Downloader description.

Symptoms

  • Unpexpected connections to the above mentioned IP addresses.
  • Presence of above mentioned files and regitry entries.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

--Updated on Dec 10, 2011 ----

Aliases –

    • Emsisoft - Trojan.Win32.Refroso!IK
    • Ikarus - Trojan.Win32.Refroso
    • Kaspersky - Trojan.Win32.Inject.cbtt

Upon execution, the Trojan copies itself into the below mentioned location and injects its malicious code into the legitimate process WUAUCLT.EXE to perform further malicious activity.

    • %AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe

The following registry keys have been added
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Visual Basic\6.0

The following registry value has been added
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
      44258 = "%AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe"

The above mentioned registry entry confirms that, the Trojan executes every time when windows starts

Also the Trojan creates the following mutex inorder to execute only one instance of Trojan at a time

    • 951725031

After execution, the source Trojan deletes itself from the system

The Trojan adds the following folder to the system

%AllUsersprofile%s\Local Settings\Temp

Note – [%AllUsersprofile%- C:\Documents and Settings\All Users]

------

 

--Updated on November 17, 2011--

Aliases

  • Kaspersky - Trojan-Downloader.Win32.Deliver.mc
  • Ikarus        - Trojan-Downloader.Win32.Chepvil
  • NOD32      - Win32/TrojanDownloader.Chepvil.A
  • Microsoft - TrojanDownloader:Win32/Chepvil.N

When executed the Trojan deletes itself.

And drop the following file.

  • %Temp%\piety.exe

Once executed the Trojan tries to connect to the following sites:

  • justdo[Removed]ain2.ru
  • onemor[Removed]ehi.ru

After connected to the above sites the Trojan perform following malicious activities.

  • Download and executes other malicious files.
  • Steals the sensitive information and send it to the attacker.
  • Receives commands from the attacker.

-----------------------------------------------------

--Updated on September 9th, 2011--

Aliases

  • Kaspersky - Trojan.Win32.Yakes.chh
  • NOD32     - Win32/TrojanDownloader.Agent.QVB
  • Symantec   - Trojan.FakeAV
  • Microsoft   - TrojanDownloader:Win32/Cbeplay.O

Generic Downloader.z is detection for this trojan that silently downloads and installs rogue antivirus without user consent.

Upon execution the Trojan injects itself with svchost.exe and tries to connect to the IP address 173.255.[Removed].28 through a remote port 80 and downloads the Fakeav.

The Fakeav would run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.

 

When executed the Trojan drops the file into the following location.

  • %ALLUsersprofile%\application data\[Random_name]\[Random_name].exe

The following registry value has been added.

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
    “[Random_name]” = "%ALLUsersprofile%\application data\[Random_name]\[Random_name].exe"

The above mentioned registry ensures that the Trojan registers itself as a run entry with the compromised system and execute upon every reboot.

--- Updated on August 9, 2011 ---

File Information:

MD5: 0AF7DB6B11A559C27B5BDE4656818578
SHA1: b04d74741022e5599b30986aa02b202aa5f14642

When this sample is executed, it will connect to the URL below to download Generic Dropper.p

. hxxp://ww[removed].com/2ff.exe

The sample is downloaded to the user's %TEMP% directory. This folder is usually located under C:\Documents and Settings\user\Local Settings\Temp

After downloading the URL above, the malware will execute it and exit

---

---- Updated July 15, 2011 ------File Information -

  • MD5 - f4403d6dc9c00ef4498d1b4399eb190c
  • SHA - 8df650d53fb7c5eee6017070ef4d54ae4f9728bb

Aliases -

  • Kaspersky - Worm.Win32.AutoIt.tq
  • NOD32 - Win32/Virut.NBP
  • Symantec - W32.Imaut
  • Microsoft - Worm:AutoIt/Helompy.A

“Generic Downloader.z“ attempts to copies of itself in any inserted usb disk, in the names of existing folders and the folders in the removable drive are made hidded.

When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registry Values has been added to the system.

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    run32 = "%UserProfile%\Desktop\lsass.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000

[Note : %UserProfile% -  C:\Documents and Settings\Administrator]

----------------------------

---- Updated July 13, 2011 ------

File Information -

  • MD5 - E58C868EC8E832DCE815FA69BB1B2BC4
  • SHA1 - AF4BE425DA9CBAF02C0A7126270231F33624EAB1

Aliases -

  • AVG - Downloader.Generic11.BGBB
  • Kaspersky - HEUR:Trojan.Win32.Generic
  • NOD32 - Win32/TrojanDownloader.Mebload.AL
  • Microsoft - PWS:Win32/Sinowal.gen!Y

"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.

Upon execution the Trojan connects to the following site "yu23t[removed].com" through port 80 to download other malicious files.

Also it drops the following files.

  • %Temp%\6.tmp
  • %Temp%\7.tmp

The following registry key has been created.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Linkage
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\DNSRegisteredAdapters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\PersistentRoutes
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Winsock
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Performance
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\ServiceProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Security

The following registry values have been created.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\LLInterface = ""
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\IpConfig = 'Tcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}'
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp]
    LLInterface = "WANARP"
    IpConfig = 'Tcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5} Tcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}'
    NumInterfaces = 0x00000002
    IpInterfaces = [binary data]

The Trojan creates the following mutex.

  • abc123333ppo

Also it connects to the following sites.

  • ydks[removed].com
  • svqbshk[removed].org
  • ns[removed]khole.org
  • utib[removed].net
  • ydk[removed].net
  • uby[removed].com
  • tuc[removed].com

[Note : %Temp% -  C:\Documents and Settings\[UserName]\Local Settings\Temp\]

----------------

---- Updated July 09, 2011 ------

File Information -

  • MD5 - A1F6FDC9E95461A55BC0DF33970BE2D8
  • SHA1 - 2D6C9E8B7F7CC2D10584AA54C197B49A8523062A

Aliases -

  • AntiVir - TR/Downloader.Gen
  • AVG - Agent2.CIFT
  • Ikarus - Gen.Trojan.Heur
  • NOD32 - a variant of Win32/Agent.SFJ

"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.

Upon execution the Trojan connects to the following site "dete[removed].net" to download other malicious files.

Also it drops the following file.

  • %Temp%\upd[random].tmp

The following registry key has been created.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager

The following registry values have been created.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager]
    AppID = 0xE70B7655
    Enable = 0x00000001

[Note : %Temp% -  C:\Documents and Settings\[UserName]\Local Settings\Temp\]

-----------------------------------

---- Updated Nov 20, 2010 ------

File Information:

    • MD5 - 54f9f6dd8fbbd40ff61ed66fc9a0ac4f
    • SHA1 -: 47f02a3ad00ef204a6f8cc1612bec28a61b26ebf

Aliases:

  • Comodo - TrojWare.Win32.Trojan.Agent.Gen
  • K7AntiVirus - Trojan-Downloader
  • Kaspersky - Trojan-Downloader.Win32.Agent.fcyf
  • Microsoft - TrojanDownloader:Win32/Carberp.C

Generic.Downloader.Z“ is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.

Upon execution the Trojan copies itself into the below mentioned location
    • %UserProfile%\Start Menu\Programs\Startup\chkntfs.exe

It drops the following file

    • %AppData%\chkntfs.dat

After execution, the Trojan connects to the site "teenc[removed].us " and downloads the following malicious files.

    • %Temp%\2C.tmp
    • %Temp%\dwm.exe
    • %AppData%\329612.exe
    • %AppData%\Microsoft\svchost.exe
    • %UserProfile%\Local Settings\Application Data\329612.exe

The following registry key has been created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The following registry values have been created
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
       svchost = “%AppData%\Microsoft\svchost.exe”
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
      329612 = ""%AppData%\329612.exe" 0 35 "

The above registry entries confirms that, the Trojan executes every time when windows starts

    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
      ProxyServer = "http=127.0.0.1:50370"

The downloaded file “329612.exe” is fake security tool which has the same behavior of FakeAlert-SpyPro.gen.p.

Also it connects to the following malicious sites to download malicious files.

    • 92.241.[removed]
    • 91.213..[removed]
    • zone[removed].com
    • protectyourpc[removed].com through remote port  80
    • rotten[removed].net/hacked/installer1.exe

[Note : %UserProfile% - C:\Documents and Settings\ [UserName],
%AppData% - C:\Documents and Settings\[UserName]\Application Data,
%Temp% -  C:\Documents and Settings\[UserName]\Local Settings\Temp\]

----------

-----Updated September 8, 2010-----

File Information:

  • MD5 : 857CDA54AFAD92E0AA0EDE5B89669470
  • SHA : F88ADFDCA09876A7DB39676C55352C001C065B22

Aliases:

  • Kaspersky: Trojan-Downloader.JS.Iframe.oj
  • Avira: JS/Dldr.IFrame.BM
  • Microsoft: TrojanDownloader:JS/Psyme.gen

Characteristics :

"Generic Downloader.z" is javascript detection for malicious IFrames embedded on various legitimate websites. The javascript itself generally uses the String.fromCharCode method to generate the iframe HTML source from decimal Unicode values. document.write is then used to make the web browser render the iframe element within the victims web browser.

The inserted iframe usually contains the following elements

  • name=O1
  • Src : http://77.221.[removed]/.if/go.html
  • style=display: none

Symptoms :

At the time of this analysis the web server residing at the iframe src location was unavailable.

-------------- Update April 23 ------------------

File Information 

  • MD5 - BFF86B7779D77755355458ADB6C2DDEA
  • SHA1 - DDAAB5F5495BC038DD66665425234DC308B08957

Generic.Downloader.Z is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. It usually downloads a Trojan which sends spam. It also employs rootkits behavior and other defensive techniques to avoid detection and removal.

It attempts to connect to the following remote hosts to download malicious files.

  • 74.86.76. [removed]  through remote port 443
  • 210.171.131. [removed]

Upon execution, the Trojan copies itself into the following locations:

  • %windir%\system32\wuaucldt.exe detected as Generic Downloader.z
  • %UserProfile%\wuaucldt.exe detected as Generic Downloader.z

And it attempts to drop a device driver into the following location:

  • %windir%\system32\dllcache\cdrom.sys detected as Cutwail.gen.q

The Trojan uses advanced stealth (rootkit) functionality in order to hide its presence.

The following values added to the system:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    syncman = "%windir%\system32\wuaucldt.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    syncman = "%UserProfile%\wuaucldt.exe"

The above registry entry confirms that, wuaucldt.exe runs every time Windows starts:

The Trojan creates the following mutex

  • MsSyncronizationManager

It connects to the following sites to get user credentials and other information.

  • k.jfc.[removed]
  • sared[removed].br
  • ssl87[removed]br
  • bu[removed]ua
  • irt[removed]p
  • news[removed]o.jp
  • billbo[removed]r
  • foru[removed]g.ua
  • ston[removed]a
  • secu[removed]m.br
  • cent[removed]jp
  • cg.ce[removed].jp
  • maste[removed]ua
  • acc[removed]d.ua
  • loj[removed]br
  • ml[removed]p
  • ms[removed].ua
  • wow.mer[removed]rg.ua
  • apply.reed[removed]o.jp
  • forums.ub[removed]x.jp

-----------------------

-- Update March 11, 2010 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2010/03/11/playstation_emulator_malware/
--

A new variant of this thread have been discovered which tries to disguise itself as a bogus Playstation emulator.

This variant post sensitive information from the infected machine to several websites, and download and install more malicious files. All files downloaded by this program are already detected as FakeAlert-MA.gen

Upon execution, this malware shows the following behavior:

Tries to connect to the websites below to post data and request files to download:

  • angel[removed]arts.com
  • super[removed]media.com
  • best[removed]arts.com
  • dogart[removed].com
  • dancearts[removed].com
  • art[removed]world.com

Add the following key to registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98

Delete itself from disk

--

This is a generic detection for Downloader trojans.

For further information, please refer to the Generic Downloader description.

Symptoms

Symptoms -

  • Unpexpected connections to the above mentioned IP addresses.
  • Presence of above mentioned files and regitry entries.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A