McAfee > Theat Center > Virus Detail Page

Overview

Downloader serves as a downloading/updating component for other malicious files.
Generally it makes Internet connectons without user's knowledge and downloads malicious contents.

Aliases

• Trj/Ruins.MB (Panda)

• Troj/RuinDl-Gen (Sophos)

• Trojan.Win32.Small.fb (Kaspersky)

Characteristics

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

This trojan configures itself to load at startup.

System Changes

Files Added

• %SYSTEMDIR%\dmltt.exe 
• %SYSTEMDIR%\dmbxb.exe

Registry

The following registry entries are added:

• hkey_local_machine\software\microsoft\windows\currentversion\ruins
• hkey_local_machine\software\microsoft\windows\currentversion
  \ruins\ttlmd="31-4f-00-00-00-03-38-08-10-e2-53-64-43-11-00-00-00"
• hkey_local_machine\software\microsoft\windows\currentversion
  \ruins\bxbmd="b5-2b-00-00-8c-bf-b2-80-a2-5e-df-e0-cf-11-00-00-00"
• hkey_local_machine\software\microsoft\windows\currentversion\run
  \dmltt.exe="%SYSTEMDIR%\dmltt.exe"
• hkey_local_machine\software\microsoft\windows\currentversion\run
  \dmbxb.exe="%SYSTEMDIR%\dmbxb.exe"

Symptoms

Presence of the files and registry entries mentioned.

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Downloader serves as a downloading/updating component for other malicious files.
Generally it makes Internet connectons without user's knowledge and downloads malicious contents.

Aliases

• Trj/Ruins.MB (Panda)

• Troj/RuinDl-Gen (Sophos)

• Trojan.Win32.Small.fb (Kaspersky)

Characteristics

Characteristics -

Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

This trojan configures itself to load at startup.

System Changes

Files Added

• %SYSTEMDIR%\dmltt.exe 
• %SYSTEMDIR%\dmbxb.exe

Registry

The following registry entries are added:

• hkey_local_machine\software\microsoft\windows\currentversion\ruins
• hkey_local_machine\software\microsoft\windows\currentversion
  \ruins\ttlmd="31-4f-00-00-00-03-38-08-10-e2-53-64-43-11-00-00-00"
• hkey_local_machine\software\microsoft\windows\currentversion
  \ruins\bxbmd="b5-2b-00-00-8c-bf-b2-80-a2-5e-df-e0-cf-11-00-00-00"
• hkey_local_machine\software\microsoft\windows\currentversion\run
  \dmltt.exe="%SYSTEMDIR%\dmltt.exe"
• hkey_local_machine\software\microsoft\windows\currentversion\run
  \dmbxb.exe="%SYSTEMDIR%\dmbxb.exe"

Symptoms

Symptoms -

Presence of the files and registry entries mentioned.

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A