Content
Generic Downloader.z
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 03/30/2005
- Length
- Varies
- Minimum DAT
- 4458 (03/30/2005)
- Updated DAT
- 6595 (01/20/2012)
- Minimum Engine
- 5.4.00
- Description Added
- 03/30/2005
- Description Modified
- 12/09/2011 11:26 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
--Updated on Dec 10, 2011 ----
Aliases –
- Emsisoft - Trojan.Win32.Refroso!IK
- Ikarus - Trojan.Win32.Refroso
- Kaspersky - Trojan.Win32.Inject.cbtt
Upon execution, the Trojan copies itself into the below mentioned location and injects its malicious code into the legitimate process WUAUCLT.EXE to perform further malicious activity.
- %AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe
The following registry keys have been added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Visual Basic\6.0
The following registry value has been added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
44258 = "%AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe"
The above mentioned registry entry confirms that, the Trojan executes every time when windows starts
Also the Trojan creates the following mutex inorder to execute only one instance of Trojan at a time
- 951725031
After execution, the source Trojan deletes itself from the system
The Trojan adds the following folder to the system
%AllUsersprofile%s\Local Settings\Temp
Note – [%AllUsersprofile%- C:\Documents and Settings\All Users]
------
--Updated on November 17, 2011--
Aliases
- Kaspersky - Trojan-Downloader.Win32.Deliver.mc
- Ikarus - Trojan-Downloader.Win32.Chepvil
- NOD32 - Win32/TrojanDownloader.Chepvil.A
- Microsoft - TrojanDownloader:Win32/Chepvil.N
When executed the Trojan deletes itself.
And drop the following file.
- %Temp%\piety.exe
Once executed the Trojan tries to connect to the following sites:
- justdo[Removed]ain2.ru
- onemor[Removed]ehi.ru
After connected to the above sites the Trojan perform following malicious activities.
- Download and executes other malicious files.
- Steals the sensitive information and send it to the attacker.
- Receives commands from the attacker.
-----------------------------------------------------
--Updated on September 9th, 2011--
Aliases
- Kaspersky - Trojan.Win32.Yakes.chh
- NOD32 - Win32/TrojanDownloader.Agent.QVB
- Symantec - Trojan.FakeAV
- Microsoft - TrojanDownloader:Win32/Cbeplay.O
Generic Downloader.z is detection for this trojan that silently downloads and installs rogue antivirus without user consent.
Upon execution the Trojan injects itself with svchost.exe and tries to connect to the IP address 173.255.[Removed].28 through a remote port 80 and downloads the Fakeav.
The Fakeav would run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.


When executed the Trojan drops the file into the following location.
- %ALLUsersprofile%\application data\[Random_name]\[Random_name].exe
The following registry value has been added.
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
“[Random_name]” = "%ALLUsersprofile%\application data\[Random_name]\[Random_name].exe"
The above mentioned registry ensures that the Trojan registers itself as a run entry with the compromised system and execute upon every reboot.
--- Updated on August 9, 2011 ---
File Information:
MD5: 0AF7DB6B11A559C27B5BDE4656818578
SHA1: b04d74741022e5599b30986aa02b202aa5f14642
When this sample is executed, it will connect to the URL below to download Generic Dropper.p
. hxxp://ww[removed].com/2ff.exe
The sample is downloaded to the user's %TEMP% directory. This folder is usually located under C:\Documents and Settings\user\Local Settings\Temp
After downloading the URL above, the malware will execute it and exit
---
---- Updated July 15, 2011 ------File Information -
- MD5 - f4403d6dc9c00ef4498d1b4399eb190c
- SHA - 8df650d53fb7c5eee6017070ef4d54ae4f9728bb
Aliases -
- Kaspersky - Worm.Win32.AutoIt.tq
- NOD32 - Win32/Virut.NBP
- Symantec - W32.Imaut
- Microsoft - Worm:AutoIt/Helompy.A
“Generic Downloader.z“ attempts to copies of itself in any inserted usb disk, in the names of existing folders and the folders in the removable drive are made hidded.
When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The following registry Values has been added to the system.
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
run32 = "%UserProfile%\Desktop\lsass.exe"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000
[Note : %UserProfile% - C:\Documents and Settings\Administrator]
----------------------------
---- Updated July 13, 2011 ------
File Information -
- MD5 - E58C868EC8E832DCE815FA69BB1B2BC4
- SHA1 - AF4BE425DA9CBAF02C0A7126270231F33624EAB1
Aliases -
- AVG - Downloader.Generic11.BGBB
- Kaspersky - HEUR:Trojan.Win32.Generic
- NOD32 - Win32/TrojanDownloader.Mebload.AL
- Microsoft - PWS:Win32/Sinowal.gen!Y
"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.
Upon execution the Trojan connects to the following site "yu23t[removed].com" through port 80 to download other malicious files.
Also it drops the following files.
- %Temp%\6.tmp
- %Temp%\7.tmp
The following registry key has been created.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Linkage
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\DNSRegisteredAdapters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\PersistentRoutes
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Winsock
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Performance
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\ServiceProvider
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Security
The following registry values have been created.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\LLInterface = ""
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\IpConfig = 'Tcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}'
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp]
LLInterface = "WANARP"
IpConfig = 'Tcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5} Tcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}'
NumInterfaces = 0x00000002
IpInterfaces = [binary data]
The Trojan creates the following mutex.
- abc123333ppo
Also it connects to the following sites.
- ydks[removed].com
- svqbshk[removed].org
- ns[removed]khole.org
- utib[removed].net
- ydk[removed].net
- uby[removed].com
- tuc[removed].com
[Note : %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp\]
----------------
---- Updated July 09, 2011 ------
File Information -
- MD5 - A1F6FDC9E95461A55BC0DF33970BE2D8
- SHA1 - 2D6C9E8B7F7CC2D10584AA54C197B49A8523062A
Aliases -
- AntiVir - TR/Downloader.Gen
- AVG - Agent2.CIFT
- Ikarus - Gen.Trojan.Heur
- NOD32 - a variant of Win32/Agent.SFJ
"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.
Upon execution the Trojan connects to the following site "dete[removed].net" to download other malicious files.
Also it drops the following file.
- %Temp%\upd[random].tmp
The following registry key has been created.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager
The following registry values have been created.
- [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager]
AppID = 0xE70B7655
Enable = 0x00000001
[Note : %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp\]
-----------------------------------
---- Updated Nov 20, 2010 ------
File Information:
- MD5 - 54f9f6dd8fbbd40ff61ed66fc9a0ac4f
- SHA1 -: 47f02a3ad00ef204a6f8cc1612bec28a61b26ebf
Aliases:
- Comodo - TrojWare.Win32.Trojan.Agent.Gen
- K7AntiVirus - Trojan-Downloader
- Kaspersky - Trojan-Downloader.Win32.Agent.fcyf
- Microsoft - TrojanDownloader:Win32/Carberp.C
“Generic.Downloader.Z“ is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.
Upon execution the Trojan copies itself into the below mentioned location
- %UserProfile%\Start Menu\Programs\Startup\chkntfs.exe
It drops the following file
- %AppData%\chkntfs.dat
After execution, the Trojan connects to the site "teenc[removed].us " and downloads the following malicious files.
- %Temp%\2C.tmp
- %Temp%\dwm.exe
- %AppData%\329612.exe
- %AppData%\Microsoft\svchost.exe
- %UserProfile%\Local Settings\Application Data\329612.exe
The following registry key has been created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
The following registry values have been created
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
svchost = “%AppData%\Microsoft\svchost.exe” - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
329612 = ""%AppData%\329612.exe" 0 35 "
The above registry entries confirms that, the Trojan executes every time when windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyServer = "http=127.0.0.1:50370"
The downloaded file “329612.exe” is fake security tool which has the same behavior of FakeAlert-SpyPro.gen.p.
Also it connects to the following malicious sites to download malicious files.
- 92.241.[removed]
- 91.213..[removed]
- zone[removed].com
- protectyourpc[removed].com through remote port 80
- rotten[removed].net/hacked/installer1.exe
[Note : %UserProfile% - C:\Documents and Settings\ [UserName],
%AppData% - C:\Documents and Settings\[UserName]\Application Data,
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp\]
----------
-----Updated September 8, 2010-----
File Information:
- MD5 : 857CDA54AFAD92E0AA0EDE5B89669470
- SHA : F88ADFDCA09876A7DB39676C55352C001C065B22
Aliases:
- Kaspersky: Trojan-Downloader.JS.Iframe.oj
- Avira: JS/Dldr.IFrame.BM
- Microsoft: TrojanDownloader:JS/Psyme.gen
Characteristics :
"Generic Downloader.z" is javascript detection for malicious IFrames embedded on various legitimate websites. The javascript itself generally uses the String.fromCharCode method to generate the iframe HTML source from decimal Unicode values. document.write is then used to make the web browser render the iframe element within the victims web browser.
The inserted iframe usually contains the following elements
- name=O1
- Src : http://77.221.[removed]/.if/go.html
- style=display: none
Symptoms :
At the time of this analysis the web server residing at the iframe src location was unavailable.
-------------- Update April 23 ------------------File Information
- MD5 - BFF86B7779D77755355458ADB6C2DDEA
- SHA1 - DDAAB5F5495BC038DD66665425234DC308B08957
Generic.Downloader.Z is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. It usually downloads a Trojan which sends spam. It also employs rootkits behavior and other defensive techniques to avoid detection and removal.
It attempts to connect to the following remote hosts to download malicious files.
- 74.86.76. [removed] through remote port 443
- 210.171.131. [removed]
Upon execution, the Trojan copies itself into the following locations:
- %windir%\system32\wuaucldt.exe detected as Generic Downloader.z
- %UserProfile%\wuaucldt.exe detected as Generic Downloader.z
And it attempts to drop a device driver into the following location:
- %windir%\system32\dllcache\cdrom.sys detected as Cutwail.gen.q
The Trojan uses advanced stealth (rootkit) functionality in order to hide its presence.
The following values added to the system:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
syncman = "%windir%\system32\wuaucldt.exe" - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
syncman = "%UserProfile%\wuaucldt.exe"
The above registry entry confirms that, wuaucldt.exe runs every time Windows starts:
The Trojan creates the following mutex
- MsSyncronizationManager
It connects to the following sites to get user credentials and other information.
- k.jfc.[removed]
- sared[removed].br
- ssl87[removed]br
- bu[removed]ua
- irt[removed]p
- news[removed]o.jp
- billbo[removed]r
- foru[removed]g.ua
- ston[removed]a
- secu[removed]m.br
- cent[removed]jp
- cg.ce[removed].jp
- maste[removed]ua
- acc[removed]d.ua
- loj[removed]br
- ml[removed]p
- ms[removed].ua
- wow.mer[removed]rg.ua
- apply.reed[removed]o.jp
- forums.ub[removed]x.jp
-----------------------
-- Update March 11, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:http://www.theregister.co.uk/2010/03/11/playstation_emulator_malware/
--
A new variant of this thread have been discovered which tries to disguise itself as a bogus Playstation emulator.
This variant post sensitive information from the infected machine to several websites, and download and install more malicious files. All files downloaded by this program are already detected as FakeAlert-MA.gen
Upon execution, this malware shows the following behavior:
Tries to connect to the websites below to post data and request files to download:
- angel[removed]arts.com
- super[removed]media.com
- best[removed]arts.com
- dogart[removed].com
- dancearts[removed].com
- art[removed]world.com
Add the following key to registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98
Delete itself from disk
--
This is a generic detection for Downloader trojans.
For further information, please refer to the Generic Downloader description.
Symptoms
- Unpexpected connections to the above mentioned IP addresses.
- Presence of above mentioned files and regitry entries.
Method of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
--Updated on Dec 10, 2011 ----
Aliases –
- Emsisoft - Trojan.Win32.Refroso!IK
- Ikarus - Trojan.Win32.Refroso
- Kaspersky - Trojan.Win32.Inject.cbtt
Upon execution, the Trojan copies itself into the below mentioned location and injects its malicious code into the legitimate process WUAUCLT.EXE to perform further malicious activity.
- %AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe
The following registry keys have been added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Visual Basic\6.0
The following registry value has been added
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
44258 = "%AllUsersprofile%\Local Settings\Temp\efcd81fe0088193f.exe"
The above mentioned registry entry confirms that, the Trojan executes every time when windows starts
Also the Trojan creates the following mutex inorder to execute only one instance of Trojan at a time
- 951725031
After execution, the source Trojan deletes itself from the system
The Trojan adds the following folder to the system
%AllUsersprofile%s\Local Settings\Temp
Note – [%AllUsersprofile%- C:\Documents and Settings\All Users]
------
--Updated on November 17, 2011--
Aliases
- Kaspersky - Trojan-Downloader.Win32.Deliver.mc
- Ikarus - Trojan-Downloader.Win32.Chepvil
- NOD32 - Win32/TrojanDownloader.Chepvil.A
- Microsoft - TrojanDownloader:Win32/Chepvil.N
When executed the Trojan deletes itself.
And drop the following file.
- %Temp%\piety.exe
Once executed the Trojan tries to connect to the following sites:
- justdo[Removed]ain2.ru
- onemor[Removed]ehi.ru
After connected to the above sites the Trojan perform following malicious activities.
- Download and executes other malicious files.
- Steals the sensitive information and send it to the attacker.
- Receives commands from the attacker.
-----------------------------------------------------
--Updated on September 9th, 2011--
Aliases
- Kaspersky - Trojan.Win32.Yakes.chh
- NOD32 - Win32/TrojanDownloader.Agent.QVB
- Symantec - Trojan.FakeAV
- Microsoft - TrojanDownloader:Win32/Cbeplay.O
Generic Downloader.z is detection for this trojan that silently downloads and installs rogue antivirus without user consent.
Upon execution the Trojan injects itself with svchost.exe and tries to connect to the IP address 173.255.[Removed].28 through a remote port 80 and downloads the Fakeav.
The Fakeav would run an exaggerated scan and generate false detection alert messages and warnings. The intention behind all the fake messages is drive users to purchase the advertised product.


When executed the Trojan drops the file into the following location.
- %ALLUsersprofile%\application data\[Random_name]\[Random_name].exe
The following registry value has been added.
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
“[Random_name]” = "%ALLUsersprofile%\application data\[Random_name]\[Random_name].exe"
The above mentioned registry ensures that the Trojan registers itself as a run entry with the compromised system and execute upon every reboot.
--- Updated on August 9, 2011 ---
File Information:
MD5: 0AF7DB6B11A559C27B5BDE4656818578
SHA1: b04d74741022e5599b30986aa02b202aa5f14642
When this sample is executed, it will connect to the URL below to download Generic Dropper.p
. hxxp://ww[removed].com/2ff.exe
The sample is downloaded to the user's %TEMP% directory. This folder is usually located under C:\Documents and Settings\user\Local Settings\Temp
After downloading the URL above, the malware will execute it and exit
---
---- Updated July 15, 2011 ------File Information -
- MD5 - f4403d6dc9c00ef4498d1b4399eb190c
- SHA - 8df650d53fb7c5eee6017070ef4d54ae4f9728bb
Aliases -
- Kaspersky - Worm.Win32.AutoIt.tq
- NOD32 - Win32/Virut.NBP
- Symantec - W32.Imaut
- Microsoft - Worm:AutoIt/Helompy.A
“Generic Downloader.z“ attempts to copies of itself in any inserted usb disk, in the names of existing folders and the folders in the removable drive are made hidded.
When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The following registry Values has been added to the system.
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
run32 = "%UserProfile%\Desktop\lsass.exe"
The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000
[Note : %UserProfile% - C:\Documents and Settings\Administrator]
----------------------------
---- Updated July 13, 2011 ------
File Information -
- MD5 - E58C868EC8E832DCE815FA69BB1B2BC4
- SHA1 - AF4BE425DA9CBAF02C0A7126270231F33624EAB1
Aliases -
- AVG - Downloader.Generic11.BGBB
- Kaspersky - HEUR:Trojan.Win32.Generic
- NOD32 - Win32/TrojanDownloader.Mebload.AL
- Microsoft - PWS:Win32/Sinowal.gen!Y
"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.
Upon execution the Trojan connects to the following site "yu23t[removed].com" through port 80 to download other malicious files.
Also it drops the following files.
- %Temp%\6.tmp
- %Temp%\7.tmp
The following registry key has been created.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Linkage
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\DNSRegisteredAdapters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\PersistentRoutes
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Winsock
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Performance
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\ServiceProvider
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpsec\Security
The following registry values have been created.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\LLInterface = ""
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}\IpConfig = 'Tcpip\Parameters\Interfaces\{2EB51668-B745-49DA-BB5D-9ACEFDC7E3AD}'
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xcpip\Parameters\Adapters\NdisWanIp]
LLInterface = "WANARP"
IpConfig = 'Tcpip\Parameters\Interfaces\{A518F2B1-74F6-4C52-9C11-A726AE0670F5} Tcpip\Parameters\Interfaces\{DE833DEE-A0A3-4CB1-A501-FFFC62F8DDD1}'
NumInterfaces = 0x00000002
IpInterfaces = [binary data]
The Trojan creates the following mutex.
- abc123333ppo
Also it connects to the following sites.
- ydks[removed].com
- svqbshk[removed].org
- ns[removed]khole.org
- utib[removed].net
- ydk[removed].net
- uby[removed].com
- tuc[removed].com
[Note : %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp\]
----------------
---- Updated July 09, 2011 ------
File Information -
- MD5 - A1F6FDC9E95461A55BC0DF33970BE2D8
- SHA1 - 2D6C9E8B7F7CC2D10584AA54C197B49A8523062A
Aliases -
- AntiVir - TR/Downloader.Gen
- AVG - Agent2.CIFT
- Ikarus - Gen.Trojan.Heur
- NOD32 - a variant of Win32/Agent.SFJ
"Generic.Downloader.Z" is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.
Upon execution the Trojan connects to the following site "dete[removed].net" to download other malicious files.
Also it drops the following file.
- %Temp%\upd[random].tmp
The following registry key has been created.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
- HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager
The following registry values have been created.
- [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\ApplicationManager]
AppID = 0xE70B7655
Enable = 0x00000001
[Note : %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp\]
-----------------------------------
---- Updated Nov 20, 2010 ------
File Information:
- MD5 - 54f9f6dd8fbbd40ff61ed66fc9a0ac4f
- SHA1 -: 47f02a3ad00ef204a6f8cc1612bec28a61b26ebf
Aliases:
- Comodo - TrojWare.Win32.Trojan.Agent.Gen
- K7AntiVirus - Trojan-Downloader
- Kaspersky - Trojan-Downloader.Win32.Agent.fcyf
- Microsoft - TrojanDownloader:Win32/Carberp.C
“Generic.Downloader.Z“ is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. This could include the installation of additional malware or malware components to an affected computer.
Upon execution the Trojan copies itself into the below mentioned location
- %UserProfile%\Start Menu\Programs\Startup\chkntfs.exe
It drops the following file
- %AppData%\chkntfs.dat
After execution, the Trojan connects to the site "teenc[removed].us " and downloads the following malicious files.
- %Temp%\2C.tmp
- %Temp%\dwm.exe
- %AppData%\329612.exe
- %AppData%\Microsoft\svchost.exe
- %UserProfile%\Local Settings\Application Data\329612.exe
The following registry key has been created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
The following registry values have been created
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
svchost = “%AppData%\Microsoft\svchost.exe” - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
329612 = ""%AppData%\329612.exe" 0 35 "
The above registry entries confirms that, the Trojan executes every time when windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyServer = "http=127.0.0.1:50370"
The downloaded file “329612.exe” is fake security tool which has the same behavior of FakeAlert-SpyPro.gen.p.
Also it connects to the following malicious sites to download malicious files.
- 92.241.[removed]
- 91.213..[removed]
- zone[removed].com
- protectyourpc[removed].com through remote port 80
- rotten[removed].net/hacked/installer1.exe
[Note : %UserProfile% - C:\Documents and Settings\ [UserName],
%AppData% - C:\Documents and Settings\[UserName]\Application Data,
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp\]
----------
-----Updated September 8, 2010-----
File Information:
- MD5 : 857CDA54AFAD92E0AA0EDE5B89669470
- SHA : F88ADFDCA09876A7DB39676C55352C001C065B22
Aliases:
- Kaspersky: Trojan-Downloader.JS.Iframe.oj
- Avira: JS/Dldr.IFrame.BM
- Microsoft: TrojanDownloader:JS/Psyme.gen
Characteristics :
"Generic Downloader.z" is javascript detection for malicious IFrames embedded on various legitimate websites. The javascript itself generally uses the String.fromCharCode method to generate the iframe HTML source from decimal Unicode values. document.write is then used to make the web browser render the iframe element within the victims web browser.
The inserted iframe usually contains the following elements
- name=O1
- Src : http://77.221.[removed]/.if/go.html
- style=display: none
Symptoms :
At the time of this analysis the web server residing at the iframe src location was unavailable.
-------------- Update April 23 ------------------File Information
- MD5 - BFF86B7779D77755355458ADB6C2DDEA
- SHA1 - DDAAB5F5495BC038DD66665425234DC308B08957
Generic.Downloader.Z is a Trojan which downloads and executes arbitrary files. The downloaded files may be injected directly into other processes. It usually downloads a Trojan which sends spam. It also employs rootkits behavior and other defensive techniques to avoid detection and removal.
It attempts to connect to the following remote hosts to download malicious files.
- 74.86.76. [removed] through remote port 443
- 210.171.131. [removed]
Upon execution, the Trojan copies itself into the following locations:
- %windir%\system32\wuaucldt.exe detected as Generic Downloader.z
- %UserProfile%\wuaucldt.exe detected as Generic Downloader.z
And it attempts to drop a device driver into the following location:
- %windir%\system32\dllcache\cdrom.sys detected as Cutwail.gen.q
The Trojan uses advanced stealth (rootkit) functionality in order to hide its presence.
The following values added to the system:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
syncman = "%windir%\system32\wuaucldt.exe" - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
syncman = "%UserProfile%\wuaucldt.exe"
The above registry entry confirms that, wuaucldt.exe runs every time Windows starts:
The Trojan creates the following mutex
- MsSyncronizationManager
It connects to the following sites to get user credentials and other information.
- k.jfc.[removed]
- sared[removed].br
- ssl87[removed]br
- bu[removed]ua
- irt[removed]p
- news[removed]o.jp
- billbo[removed]r
- foru[removed]g.ua
- ston[removed]a
- secu[removed]m.br
- cent[removed]jp
- cg.ce[removed].jp
- maste[removed]ua
- acc[removed]d.ua
- loj[removed]br
- ml[removed]p
- ms[removed].ua
- wow.mer[removed]rg.ua
- apply.reed[removed]o.jp
- forums.ub[removed]x.jp
-----------------------
-- Update March 11, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:http://www.theregister.co.uk/2010/03/11/playstation_emulator_malware/
--
A new variant of this thread have been discovered which tries to disguise itself as a bogus Playstation emulator.
This variant post sensitive information from the infected machine to several websites, and download and install more malicious files. All files downloaded by this program are already detected as FakeAlert-MA.gen
Upon execution, this malware shows the following behavior:
Tries to connect to the websites below to post data and request files to download:
- angel[removed]arts.com
- super[removed]media.com
- best[removed]arts.com
- dogart[removed].com
- dancearts[removed].com
- art[removed]world.com
Add the following key to registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs = 0x3A98
Delete itself from disk
--
This is a generic detection for Downloader trojans.
For further information, please refer to the Generic Downloader description.
Symptoms
Symptoms -
- Unpexpected connections to the above mentioned IP addresses.
- Presence of above mentioned files and regitry entries.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants -
N/A