McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Update: 05/13/2008

Upon execution, a variant of Generic Downloader.ab trojan downloads multiple malwares from the following server:

• 195.93.218.28

It saves the downloaded malwares into the following folders:

• %Windir%\system32\CcEvtSvc.exe
• %Windir%\system32\svchost.ex
• %Windir%\winlogon.exe

(Where %Windir% is the Windows folder; C:\Windows)

Another variant of Generic Downloader.ab trojan connects with the following server:

• freemoneys.cn

And further downloads malware from ftp server:

• 213.148.24.20

Update: 05/08/2008

A new variant of Generic Downloader.ab trojan has a file name as admin.exe.

Upon execution, it deletes itself and drops its copy into the following folder:

%USER_PROFILE%\Local Settings\Temp\~g1.tmp

(Where %USER_PROFILE% is the default user profile folder, such as C:\Documents and Settings\Administrator if the current user is Administrator.)

It adds a registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: "%USER_PROFILE%\Local Settings\Temp\~g1.tmp"

It attempts to connect to the following url:

hxxp://p2p-sys.cn/[removed]

Update: 04/10/2008

A new variant of Generic Downloader.ab trojan has a file name as AcroRD32.exe.

Upon execution, it deletes itself and drops its copy into the following folder:

%USER_PROFILE%\Local Settings\Temp\AcroRD32.exe

(Where %USER_PROFILE% is the default user profile folder, such as C:\Documents and Settings\Administrator if the current user is Administrator.)

It hooks system startup by adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acroread: "%USER_PROFILE%\Local Settings\Temp\AcroRD32.exe"

It attempts to connect to the following url:

hxxp://www.ahasurvey.net/[removed].htm

Update: 04/20/2007

Some Generic Downloaders.ab variants are being used to download Generic PWS.o Password Stealers from the IP 81.29.241.20.
It is injected into Svchost.exe process to download the PWS trojan.
------------------------------------------------------------------------------------------------

The detection for Generic Downloader are for several specific trojan variants, so this description is meant as a general guide.   This detection is for trojans which are intended to retrieve and execute files from a remote server.  This file will then be automatically executed on the infected machine.  The nature of the remote file may vary. As the presence of these trojans and remote files are discovered, sites hosting these files are frequently taken down, so the downloading may cease to function as expected.  This may result in empty, 0 byte files or HTML error messages being downloaded instead, or the remote file simply not being downloaded at all.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection. Variants are likely to be packed with a PE packer, so enabling the scanning of compressed files will also provide optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

Typically this downloader variant will install itself and/or the remote file into the Windows or System directory, and hook system startup via a Registry key such as:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

The following Registry keys are also added:

• HKEY_CLASSES_ROOT\CLSID\{AECE402B-3DC8-5CF2-E20A-
  AA3872D92E43}
• HKEY_CLASSES_ROOT\CLSID\{AECE402B-3DC8-5CF2-E20A-
  AA3872D92E43}\Data
• HKEY_CLASSES_ROOT\CLSID\{AECE402B-3DC8-5CF2-E20A-
  AA3872D92E43}\LocalServer

Additionally a file may be dropped in the %Windows% or \Documents and Settings\administrador\Configurações locais\Temp\ directory.

Finally this can delete itself from the system.

Symptoms

Update: 20/04/2007
Some latest variants of Generic Downloader.ab will be injected into Svchost.exe process, and you may notice this process trying to access the remote host at 81.29.241.20.

-------------------------------------------------------------------------------
Desktop firewall program alerting that a foreign application is attempting to access the Internet.

Method of Infection

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Update: 05/13/2008

Upon execution, a variant of Generic Downloader.ab trojan downloads multiple malwares from the following server:

• 195.93.218.28

It saves the downloaded malwares into the following folders:

• %Windir%\system32\CcEvtSvc.exe
• %Windir%\system32\svchost.ex
• %Windir%\winlogon.exe

(Where %Windir% is the Windows folder; C:\Windows)

Another variant of Generic Downloader.ab trojan connects with the following server:

• freemoneys.cn

And further downloads malware from ftp server:

• 213.148.24.20

Update: 05/08/2008

A new variant of Generic Downloader.ab trojan has a file name as admin.exe.

Upon execution, it deletes itself and drops its copy into the following folder:

%USER_PROFILE%\Local Settings\Temp\~g1.tmp

(Where %USER_PROFILE% is the default user profile folder, such as C:\Documents and Settings\Administrator if the current user is Administrator.)

It adds a registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: "%USER_PROFILE%\Local Settings\Temp\~g1.tmp"

It attempts to connect to the following url:

hxxp://p2p-sys.cn/[removed]

Update: 04/10/2008

A new variant of Generic Downloader.ab trojan has a file name as AcroRD32.exe.

Upon execution, it deletes itself and drops its copy into the following folder:

%USER_PROFILE%\Local Settings\Temp\AcroRD32.exe

(Where %USER_PROFILE% is the default user profile folder, such as C:\Documents and Settings\Administrator if the current user is Administrator.)

It hooks system startup by adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acroread: "%USER_PROFILE%\Local Settings\Temp\AcroRD32.exe"

It attempts to connect to the following url:

hxxp://www.ahasurvey.net/[removed].htm

Update: 04/20/2007

Some Generic Downloaders.ab variants are being used to download Generic PWS.o Password Stealers from the IP 81.29.241.20.
It is injected into Svchost.exe process to download the PWS trojan.
------------------------------------------------------------------------------------------------

The detection for Generic Downloader are for several specific trojan variants, so this description is meant as a general guide.   This detection is for trojans which are intended to retrieve and execute files from a remote server.  This file will then be automatically executed on the infected machine.  The nature of the remote file may vary. As the presence of these trojans and remote files are discovered, sites hosting these files are frequently taken down, so the downloading may cease to function as expected.  This may result in empty, 0 byte files or HTML error messages being downloaded instead, or the remote file simply not being downloaded at all.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection. Variants are likely to be packed with a PE packer, so enabling the scanning of compressed files will also provide optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

Typically this downloader variant will install itself and/or the remote file into the Windows or System directory, and hook system startup via a Registry key such as:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

The following Registry keys are also added:

• HKEY_CLASSES_ROOT\CLSID\{AECE402B-3DC8-5CF2-E20A-
  AA3872D92E43}
• HKEY_CLASSES_ROOT\CLSID\{AECE402B-3DC8-5CF2-E20A-
  AA3872D92E43}\Data
• HKEY_CLASSES_ROOT\CLSID\{AECE402B-3DC8-5CF2-E20A-
  AA3872D92E43}\LocalServer

Additionally a file may be dropped in the %Windows% or \Documents and Settings\administrador\Configurações locais\Temp\ directory.

Finally this can delete itself from the system.

Symptoms

Symptoms -

Update: 20/04/2007
Some latest variants of Generic Downloader.ab will be injected into Svchost.exe process, and you may notice this process trying to access the remote host at 81.29.241.20.

-------------------------------------------------------------------------------
Desktop firewall program alerting that a foreign application is attempting to access the Internet.

Method of Infection

Method of Infection -

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A