McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Clagger-k (Sophos)

• Win32/Clagger.Q (Vet)

• Win32/TrojanDownloader.Small.NIH (Eset)

Characteristics

This detection is for a trojan downloader known to have been spammed out widely.

Users are likely to receive the downloader as an email attachment in a message similar to that below:

Subject: Your payment done.
Body:
Dear customer!
We're writing to let you know that we've initiated a transfer from your bank account (Last 4-digits: xxxx) for the following amount:

GBP 313.14 (ORDER #[id_number] , DATE #20.03.2006)

Funds should leave account in approximately three to five working days.

See your statement details in attachment.

Attachment: STATEMENT_#[id_number].exe

Where [id_number] is a random number (typically) 6-8 digits.

At the time of writing, the downloader downloads another trojan detected as BackDoor-CYJ with the specified DATs.

Symptoms

Exact symptoms of the downloader trojan itself are sparse, since the downloader exists only to download and execute another file from a remote server. This download occurs over HTTP, and unexpected access to the following domain may indicate the presence of the downloader trojan on the network:

• akgulati.com

The downloader lowers the security on the victim machine by setting the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\
SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\
AUTHORIZEDAPPLICATIONS\LIST\(path_to_troj)="path_to_troj:*:ENABLED:0"

Method of Infection

This downloader trojan is likely to be received as an attachment in a spammed out email message, masquerading as something to do with an account transfer. When run, it downloads and executes a remote file.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Troj/Clagger-k (Sophos)

• Win32/Clagger.Q (Vet)

• Win32/TrojanDownloader.Small.NIH (Eset)

Characteristics

Characteristics -

This detection is for a trojan downloader known to have been spammed out widely.

Users are likely to receive the downloader as an email attachment in a message similar to that below:

Subject: Your payment done.
Body:
Dear customer!
We're writing to let you know that we've initiated a transfer from your bank account (Last 4-digits: xxxx) for the following amount:

GBP 313.14 (ORDER #[id_number] , DATE #20.03.2006)

Funds should leave account in approximately three to five working days.

See your statement details in attachment.

Attachment: STATEMENT_#[id_number].exe

Where [id_number] is a random number (typically) 6-8 digits.

At the time of writing, the downloader downloads another trojan detected as BackDoor-CYJ with the specified DATs.

Symptoms

Symptoms -

Exact symptoms of the downloader trojan itself are sparse, since the downloader exists only to download and execute another file from a remote server. This download occurs over HTTP, and unexpected access to the following domain may indicate the presence of the downloader trojan on the network:

• akgulati.com

The downloader lowers the security on the victim machine by setting the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\
SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\
AUTHORIZEDAPPLICATIONS\LIST\(path_to_troj)="path_to_troj:*:ENABLED:0"

Method of Infection

Method of Infection -

This downloader trojan is likely to be received as an attachment in a spammed out email message, masquerading as something to do with an account transfer. When run, it downloads and executes a remote file.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A