Content
Downloader-ATM
- Type
- Trojan
- SubType
- Downloader
- Discovery Date
- 01/20/2006
- Length
- Varies
- Minimum DAT
- 4679 (01/20/2006)
- Updated DAT
- 4985 (03/15/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 01/20/2006
- Description Modified
- 09/18/2006 10:14 AM (PT)
Tab Navigation
Characteristics
-- Update September 18th 2006 --
A new variant is known to have been spammed out to users by email. The file arrives inside a ZIP archive (RAKNINGEN.ZIP) When run, it connects to a remote site to download files. Two files are already detected with the current DATS as Spy-Agent.ak and Generic Keylogger.m. The third and final file is a DLL component and will be detected as Spy-Agent.ba trojan using the 4855 DATS.
-- Update January 20th 2006 --
A recent spamming has been reported intended to download a password stealer which is detected as PWS-Cashgrabber.
Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.
This downloader variant tries to download a file called "ndppbzn.exe" from http://scaredback.com.
As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
This trojan was spammed on January 20th, 2006 using the following email format:
|
Dear customer! We are unable to obtain payment from the credit card on file for your The Overdraft Exceed Please contact your credit card company to resolve this matter, or log into Order details: Date: 01/19/06 You have ordered the following: Price +VAT 14.52 If your charges are not approved within two weeks, your account will We value your business, and hope you act quickly to keep your Sincerely, Thank you for choosing CCBill as the eMerchant for your subscription |
Attachment: 1185.exe
Symptoms
When run, this trojan attempts to download a copy of PWS-Cashgrabber from http://scaredback.com/[censored]<CENSORED />
It modifies the registry to bypass the local proxy and allow the built-in firewall of WinXp to trust this downloader to access the internet by modifying the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\Zonemap\Proxybypass="1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
"1185.exe:*:enabled:EarthWormJimm"
Method of Infection
This downloader trojan was mass spammed on January 20th, 2006.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- PWSteal.Tarno.R (Symantec)
- Troj/Clagger-D (Sophos)
- Trojan-Downloader.Win32.Agent.ado (Kaspersky)
- Win32/Clagger!generic (CA VET)
- Win32/Clagger.5944!Trojan (CA Inoculate)
Characteristics
Characteristics -
-- Update September 18th 2006 --
A new variant is known to have been spammed out to users by email. The file arrives inside a ZIP archive (RAKNINGEN.ZIP) When run, it connects to a remote site to download files. Two files are already detected with the current DATS as Spy-Agent.ak and Generic Keylogger.m. The third and final file is a DLL component and will be detected as Spy-Agent.ba trojan using the 4855 DATS.
-- Update January 20th 2006 --
A recent spamming has been reported intended to download a password stealer which is detected as PWS-Cashgrabber.
Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.
This downloader variant tries to download a file called "ndppbzn.exe" from http://scaredback.com.
As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
This trojan was spammed on January 20th, 2006 using the following email format:
|
Dear customer! We are unable to obtain payment from the credit card on file for your The Overdraft Exceed Please contact your credit card company to resolve this matter, or log into Order details: Date: 01/19/06 You have ordered the following: Price +VAT 14.52 If your charges are not approved within two weeks, your account will We value your business, and hope you act quickly to keep your Sincerely, Thank you for choosing CCBill as the eMerchant for your subscription |
Attachment: 1185.exe
Symptoms
Symptoms -
When run, this trojan attempts to download a copy of PWS-Cashgrabber from http://scaredback.com/[censored]<CENSORED />
It modifies the registry to bypass the local proxy and allow the built-in firewall of WinXp to trust this downloader to access the internet by modifying the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\Zonemap\Proxybypass="1"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
"1185.exe:*:enabled:EarthWormJimm"
Method of Infection
Method of Infection -
This downloader trojan was mass spammed on January 20th, 2006.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
