Content

Downloader-ARL

Type
Trojan
SubType
Downloader
Discovery Date
11/25/2005
Length
Minimum DAT
4637 (11/25/2005)
Updated DAT
5339 (07/15/2008)
Minimum Engine
5.1.00
Description Added
11/25/2005
Description Modified
12/28/2006 11:08 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update December 28th, 2006:

A new variant was found in spammed e-mails resembling the following content:

From:{spoofed e-mail address}
To: {your e-mail adddress}
Subject: Happy New Year!
Body:  

{blank}

Attachment: postcard.exe (W32/Nuwar@MM)

When run, postcard.exe drops Downloader-ARL with a random filename and contacts 81.177.x.x, which is consistent with other variants.

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

Upon execution, it creates copies from itself to system and registry keys as well.

Files Added

  • %SYSTEMDIR%\winsub.xml (4 bytes) 
  • %SYSTEMDIR%\svcp.csv (91408 bytes)

Including several files in c:\documents and settings\%USER%\local settings\temporary Internet files folder

The following registry key is created:

  • hkey_local_machine\software\microsoft\downloadmanager

Symptoms

The applications creates the following network connection(s):

  • oqpghpuk.exe server:127.0.0.1 port:1087 
  • oqpghpuk.exe server:81.177.3.175 port:80 
  • zhopaizdupla.exe server:81.177.3.175 port:80 
  • zhopaizdupla.exe server:127.0.0.1 port:1084 
  • zhopaizdupla.exe server:208.36.123.14 port:25

The executable filename can vary

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Downloader serves as a downloading/updating component for other malicious files.
Generally it makes Internet connectons without user's knowledge and downloads malicious
contents.

Aliases

  • Downloader.Tibs (GRISoft)
  • Trojan.Galopoper.A (Symantec)

Characteristics

Characteristics -

-- Update December 28th, 2006:

A new variant was found in spammed e-mails resembling the following content:

From:{spoofed e-mail address}
To: {your e-mail adddress}
Subject: Happy New Year!
Body:  

{blank}

Attachment: postcard.exe (W32/Nuwar@MM)

When run, postcard.exe drops Downloader-ARL with a random filename and contacts 81.177.x.x, which is consistent with other variants.

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

Upon execution, it creates copies from itself to system and registry keys as well.

Files Added

  • %SYSTEMDIR%\winsub.xml (4 bytes) 
  • %SYSTEMDIR%\svcp.csv (91408 bytes)

Including several files in c:\documents and settings\%USER%\local settings\temporary Internet files folder

The following registry key is created:

  • hkey_local_machine\software\microsoft\downloadmanager

Symptoms

Symptoms -

The applications creates the following network connection(s):

  • oqpghpuk.exe server:127.0.0.1 port:1087 
  • oqpghpuk.exe server:81.177.3.175 port:80 
  • zhopaizdupla.exe server:81.177.3.175 port:80 
  • zhopaizdupla.exe server:127.0.0.1 port:1084 
  • zhopaizdupla.exe server:208.36.123.14 port:25

The executable filename can vary

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A