McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan-Dropper.Win32.Small.aoz (Kaspersky)

Characteristics

Multidropper is a general term for programs designed specifically to install and run other trojans. The trojan user generally runs a program called a joiner or binder to combine a trojan and an innocent program (such as a game) together into one program. Multidroppers generally do not have any payload or infectious capabilities on their own; they only install other trojans. Multidroppers are added to the DATs as they are discovered.

The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself typically does not install on the victim machine.  Typically files created or extracted from the original file are placed in standard locations such as the Windows or System folders and the registry is modified to load the dropped binaries at Windows startup.

Upon execution the sample drops atv.jpg (file size 8851 bytes) under the same folder and displays it as shown below:

But in the background it actually drops pjkh9d.dll (file size 33792 bytes) under %windir% directory and MSDOS.PIF (file size 63142 bytes) under %windir%\System32 directory. These two files are detected by McAfee-AVERT as VAnti trojan.

In background, it make internet connection to the IP address 60.xxx.xxx.113, without user knowledge. The sample disappears after the execution.

Symptoms

Dropped files on the target machine as mentioned above.

Method of Infection

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it.

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Trojan-Dropper.Win32.Small.aoz (Kaspersky)

Characteristics

Characteristics -

Multidropper is a general term for programs designed specifically to install and run other trojans. The trojan user generally runs a program called a joiner or binder to combine a trojan and an innocent program (such as a game) together into one program. Multidroppers generally do not have any payload or infectious capabilities on their own; they only install other trojans. Multidroppers are added to the DATs as they are discovered.

The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself typically does not install on the victim machine.  Typically files created or extracted from the original file are placed in standard locations such as the Windows or System folders and the registry is modified to load the dropped binaries at Windows startup.

Upon execution the sample drops atv.jpg (file size 8851 bytes) under the same folder and displays it as shown below:

But in the background it actually drops pjkh9d.dll (file size 33792 bytes) under %windir% directory and MSDOS.PIF (file size 63142 bytes) under %windir%\System32 directory. These two files are detected by McAfee-AVERT as VAnti trojan.

In background, it make internet connection to the IP address 60.xxx.xxx.113, without user knowledge. The sample disappears after the execution.

Symptoms

Symptoms -

Dropped files on the target machine as mentioned above.

Method of Infection

Method of Infection -

This multidropper trojan serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it.

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A