McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection is for a remote access trojan written with AutoIt script, compiled as stand-alone executable.  There are several variants of this trojan.  This description is a general guide.  Latest variants require the latest DATs for detection and cleaning.

Upon execution, the trojan installs itself into the Windows system directory.  The following file is created in the latest variant:

• system.mcm

Several utility dlls are copied in the same directory:

• md5.dll
• schdwrp.dll
• au3xtra.dll

The following registry key value is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "Microsoft Windows Application" = system.mcm

The following registry keys are created to register .mcm file as executable file.

• HKEY_CLASSES_ROOT\.mcm
  "(Default)" = mcmfile
• HKEY_CLASSES_ROOT\.mcm
  "Content Type" = application/x-msdownload
• HKEY_CLASSES_ROOT\.mcm\PersistentHandler
  "(Default)"={098f2470-bae0-11cd-b579-08002b30bfeb}
• HKEY_CLASSES_ROOT\mcmfile

When run, the trojan contacts a specific website and downloads other executables.  The trojan posts machine specific information such as machine name, OS, hardware info, etc via HTTP.  The trojan opens several random ports on local machine.  The trojan can perform various backdoor activities on the local machine, including

• Sending popup messages
• Upload/download/execute files on the victim machine
• Information stealing

Symptoms

Existence of the files/Registry keys detailed above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection is for a remote access trojan written with AutoIt script, compiled as stand-alone executable.  There are several variants of this trojan.  This description is a general guide.  Latest variants require the latest DATs for detection and cleaning.

Upon execution, the trojan installs itself into the Windows system directory.  The following file is created in the latest variant:

• system.mcm

Several utility dlls are copied in the same directory:

• md5.dll
• schdwrp.dll
• au3xtra.dll

The following registry key value is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "Microsoft Windows Application" = system.mcm

The following registry keys are created to register .mcm file as executable file.

• HKEY_CLASSES_ROOT\.mcm
  "(Default)" = mcmfile
• HKEY_CLASSES_ROOT\.mcm
  "Content Type" = application/x-msdownload
• HKEY_CLASSES_ROOT\.mcm\PersistentHandler
  "(Default)"={098f2470-bae0-11cd-b579-08002b30bfeb}
• HKEY_CLASSES_ROOT\mcmfile

When run, the trojan contacts a specific website and downloads other executables.  The trojan posts machine specific information such as machine name, OS, hardware info, etc via HTTP.  The trojan opens several random ports on local machine.  The trojan can perform various backdoor activities on the local machine, including

• Sending popup messages
• Upload/download/execute files on the victim machine
• Information stealing

Symptoms

Symptoms -

Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A