McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This downloader trojan was mass-spammed on June 2, 2005.  It may arrive in an email message as follows (messages vary):

Subject:

• God Bless the USA!
• Finally!
• Captured..
• He has captured..

Body:

• Xmong. Npos alter. almonsted nocks
• Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive attached a slideshow containing all the pictures I managed to capture. I apologize for the low quality, its the best I could do at this point of time. Hopefully CNN will have pictures and a video soon. God bless the USA! Stephen Christensen

Attachment:

• pics.zip
• teamster.zip
• usurus.zip
• toxicology.zip

The zip file containing pics.scr.   When run, this executable attempts to download a file d.gif (which is an executable and not an image) from various afraid.org and 2mydns.net subdomains.

At the time of this writing, a new W32/Bobax.worm variant was found on a remote server.

Symptoms

Presense of W32/Bobax.worm.dll

Method of Infection

This trojan was mass-spammed.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This downloader trojan was mass-spammed on June 2, 2005.  It may arrive in an email message as follows (messages vary):

Subject:

• God Bless the USA!
• Finally!
• Captured..
• He has captured..

Body:

• Xmong. Npos alter. almonsted nocks
• Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive attached a slideshow containing all the pictures I managed to capture. I apologize for the low quality, its the best I could do at this point of time. Hopefully CNN will have pictures and a video soon. God bless the USA! Stephen Christensen

Attachment:

• pics.zip
• teamster.zip
• usurus.zip
• toxicology.zip

The zip file containing pics.scr.   When run, this executable attempts to download a file d.gif (which is an executable and not an image) from various afraid.org and 2mydns.net subdomains.

At the time of this writing, a new W32/Bobax.worm variant was found on a remote server.

Symptoms

Symptoms -

Presense of W32/Bobax.worm.dll

Method of Infection

Method of Infection -

This trojan was mass-spammed.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A