Downloader-AAP

Content

Downloader-AAP

Type: Trojan
SubType: Downloader
Discovery Date: 05/11/2005
Length: varies
Minimum DAT: 4489 (05/11/2005)
Updated DAT: 5544 (03/05/2009)
Minimum Engine: 5.1.00
Description Added: 05/11/2005
Description Modified: 02/22/2007 9:41 PM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update February 22, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.sda-asia.com/sda/features/psecom,id,980,srn,2,nodeid,4,_language,Singapore.html

-- Update February 22, 2007 --

Recent mass-spamming of new variants are spoofed as billing confirmation e-mails from IKEA, the Swede home furnishing store:

-- Update January 23, 2006 --
There was a recent mass-spamming of a new variant of this trojan. The email message sent is as follows:

From: "Gebuehreneinzugszentrale" <INFO@GEZ.DE>
Subject: Ihre detaillierte GEZ Rechnung von 22.12.2006 - 22.01.2007
Body:

Rechnungsnummer 561 851 267 3953
Kundennummer 452 568 3529
Datum 22. Januar 2006

Bei R�ckfragen bitte Kundennummer angeben

Sehr geehrter GEZ Kunde,

die Gesamtsumme f�r Ihre Rechnung im Monat Dezember betr�gt: 260,37 Euro.
Anbei erhalten Sie den detaillierten Nutzungsnachweis im beigef�gter ZIP Datei.
Bitte beachten Sie, dass diese Rechnung einen Zuschlag beinhaltet, der durch das nicht rechtzeigige Anmelden des Internetverbindung entstanden ist.
Die Unterlassung rechtzeitiger Einw�nde gilt als Genehmigung. Weitere Informationen zum Widerspruch finden ebenfalls im beigef�gten Dokument.

Sind Sie Unternehmer und ben�tigen unsere Rechnung zur Geltendmachung von Vorsteuerabzug? Bitte beachten Sie dann, dass Sie seit 29.12.2004 die M�glichkeit haben, Ihre Rechnung per E-Mail mit einer qualifizierten elektronischen Signatur zu erhalten. Sie konnen diese im Bereich "pers�nliche Einstellungen" aktivieren.
Sollten Sie dem Finanzamt bisher eine von Ihnen zus�tzlich beauftragte Rechnung in Papierform zum Vorsteuerabzug vorgelegt haben, bitten wir auserdem zu beachten, dass wir Ihnen diese nur noch in Form eines "Rechungsdoppels" bieten k�nnen, da nur so vermieden werden kann, dass GEZ mehrere Rechnungsoriginale ausstellt.

Antworten auf Ihre weiteren Fragen zur digitalen Signatur finden Sie auch in unseren FAQs unter dem Stichwort "Digitale Signatur".
======================================
GEZ AKTUELL
Die Ministerprasidenten haben am 19. Oktober 2006 beschlossen, dass fur "Neuartige Rundfunkgerate" (Internet-PCs) ab Januar 2007 eine Gebuhr in Hohe von EUR 5,52 zu entrichten ist. Betroffen davon sind nur diejenigen, die bisher weniger als 2 Rundfunkgerate angemeldet haben. www.gez.de/aktuell
======================================
Mit freundlichen Grussen
Ihre GEZ Team
i.A. Sandy Steinecke
---------------------------------------------------
Gebuehreneinzugszentrale 2007

Attachment: GEZ_Rechnung.pdf.exe (26112bytes)

-- Update January 15, 2006 --
There was a recent mass-spamming of a new variant of this trojan. The email message sent is as follows:

From: "GEZ Rechnung" or "GEZ Deutschland"
Subject: Ihre GEZ Rechnung Dezember
Body:

Rechnungsnummer
Kundennummer
Datum 012 545 124 4785
8547 0145 0114
12. Januar 2006
Bei R�ckfragen bitte Kundennummer angeben

Sehr geehrter GEZ Kunde,

die Gesamtsumme f�r Ihre Rechnung im Monat Dezember betr�gt: 445,99 Euro.
Anbei erhalten Sie den detaillierten Nutzungsnachweis im beigef�gter ZIP Datei.
Bitte beachten Sie, dass diese Rechnung einen Zuschlag beinhaltet, der durch das nicht rechtzeigige Anmelden des Internetverbindung entstanden ist.
Die Unterlassung rechtzeitiger Einw�nde gilt als Genehmigung. Weitere Informationen zum Widerspruch finden ebenfalls im beigef�gten Dokument.

Sind Sie Unternehmer und ben�tigen unsere Rechnung zur Geltendmachung von Vorsteuerabzug? Bitte beachten Sie dann, dass Sie seit 29.12.2004 die M�glichkeit haben, Ihre Rechnung per E-Mail mit einer qualifizierten elektronischen Signatur zu erhalten. Sie konnen diese im Bereich "pers�nliche Einstellungen" aktivieren.
Sollten Sie dem Finanzamt bisher eine von Ihnen zus�tzlich beauftragte Rechnung in Papierform zum Vorsteuerabzug vorgelegt haben, bitten wir auserdem zu beachten, dass wir Ihnen diese nur noch in Form eines "Rechungsdoppels" bieten k�nnen, da nur so vermieden werden kann, dass GEZ mehrere Rechnungsoriginale ausstellt.

Antworten auf Ihre weiteren Fragen zur digitalen Signatur finden Sie auch in unseren FAQs unter dem Stichwort "Digitale Signatur".
======================================
GEZ AKTUELL
Die Ministerprasidenten haben am 19. Oktober 2006 beschlossen, dass fur "Neuartige Rundfunkgerate" (Internet-PCs) ab Januar 2007 eine Gebuhr in Hohe von EUR 5,52 zu entrichten ist. Betroffen davon sind nur diejenigen, die bisher weniger als 2 Rundfunkgerate angemeldet haben.
======================================

Mit freundlichen Grussen
Ihre GEZ Team
i.A. Sandy Steinecke
---------------------------------------------------
Attachment: Rechnung_GEZ.zip (7.18 KB)

-- Update January 11, 2006 --
There was a recent mass-spamming of a new variant of this trojan. The email message sent is as follows:

From: "Trestles S. Breech" <CUSTOMERSERVICE@CMSFX.COM>
Subject: CMS FOREX
Body:

Congratulations!!! You are invited to test our new software release for
active forex traders.
Including many features and a FREE access to register a real account with
200 USD balance.

The software is attached to this letter, simply run it and follow the on
screen instructions.

Thank you.

Business hours: 9 AM-6PM EST - Monday through Thursday, 9AM-5PM EST -
Friday.
Office is closed on weekends and holidays.

Telephone: 212-563-2100

Fax: 212-563-4994

Mailing address:
Empire State Building
350 5th Avenue
Suite 6400
New York, NY 10118

Attachment: forex.exe (8kb)

When the forex.exe file is run, it drops a DLL in the WINDOWS SYSTEM directory, such as: c:\windows\system32\fldrsys.dll

This component is registered with Windows:

HKEY_CLASSES_ROOT\CLSID\{%random_CLSID%}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad "fldrsys" = {%random_CLSID%}

The fldrsys.dll file is loaded into SVCHOST.EXE and it attempts to contact the following sites:

gernhardts.com/Gallerys/java/45
muirventures.ca/images/flags
actionwebdevelopment.com/images/flags
cosmoflash.com/images/flags
cosmed-hair.com/images/flags
www.drapesofart.com/images/nav

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

This sample makes no changes to the system registry or file system.

This downloader variant tries to download a file called "test.exe". At the time of description authoring the site hosting this file was not available.

As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behaviour of these new binaries altered - possibly with every user infection.

Symptoms

Downloaders install other malware including viruses as well as other Trojans.

Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor.

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update February 22, 2007 --

Recent mass-spamming of new variants are spoofed as billing confirmation e-mails from IKEA, the Swede home furnishing store:

-- Update January 23, 2006 --
There was a recent mass-spamming of a new variant of this trojan. The email message sent is as follows:

Bei R�ckfragen bitte Kundennummer angeben

Sehr geehrter GEZ Kunde,

-- Update January 15, 2006 --
There was a recent mass-spamming of a new variant of this trojan. The email message sent is as follows:

Sehr geehrter GEZ Kunde,

Mit freundlichen Grussen
Ihre GEZ Team
i.A. Sandy Steinecke
---------------------------------------------------
Attachment: Rechnung_GEZ.zip (7.18 KB)

-- Update January 11, 2006 --
There was a recent mass-spamming of a new variant of this trojan. The email message sent is as follows:

The software is attached to this letter, simply run it and follow the on
screen instructions.

Thank you.

Business hours: 9 AM-6PM EST - Monday through Thursday, 9AM-5PM EST -
Friday.
Office is closed on weekends and holidays.

Telephone: 212-563-2100

Fax: 212-563-4994

Mailing address:
Empire State Building
350 5th Avenue
Suite 6400
New York, NY 10118

Attachment: forex.exe (8kb)

When the forex.exe file is run, it drops a DLL in the WINDOWS SYSTEM directory, such as: c:\windows\system32\fldrsys.dll

This component is registered with Windows:

HKEY_CLASSES_ROOT\CLSID\{%random_CLSID%}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad "fldrsys" = {%random_CLSID%}

The fldrsys.dll file is loaded into SVCHOST.EXE and it attempts to contact the following sites:

gernhardts.com/Gallerys/java/45
muirventures.ca/images/flags
actionwebdevelopment.com/images/flags
cosmoflash.com/images/flags
cosmed-hair.com/images/flags
www.drapesofart.com/images/nav

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

This sample makes no changes to the system registry or file system.

This downloader variant tries to download a file called "test.exe". At the time of description authoring the site hosting this file was not available.

Symptoms

Symptoms -

Downloaders install other malware including viruses as well as other Trojans.

Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor.

Method of Infection

Method of Infection -

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

Downloader-AAP

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer