Content
Downloader-AYN
- Type
- Trojan
- SubType
- Downloader
- Discovery Date
- 09/28/2006
- Length
- Minimum DAT
- 4862 (09/28/2006)
- Updated DAT
- 5760 (10/03/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 09/28/2006
- Description Modified
- 09/28/2006 5:27 PM (PT)
Tab Navigation
Characteristics
When executed the trojan creates copies of itself in the victim's system and configures itself to load at system startup as well.
Symptoms
It creates the following network connection:
- upnp.exe server:zxcvz.com port:80
When executed the trojan creates copies of itself as below:
- %SYSTEMDIR%\upnp.exe ( 11109 bytes )
- c:\documents and settings\%USER%\local settings\temporary
internet files\content.ie5\ktx34vgq\c[1].php ( 91408 bytes )
Registry keys are also created and/or modified as following:
- hkey_current_user\software\unker
- hkey_current_user\software\unker\rechnung
- hkey_current_user\software\unker\upnp
- hkey_local_machine\software\microsoft\windows\currentversion\run
\np="%SYSTEMDIR%\upnp.exe"
Method of Infection
N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Downloader serves as a downloading/updating component for other malicious files.
Generally it makes Internet connectons without user's knowledge and downloads malicious contents.
Aliases
- Trj/Abwiz.AR (Panda)
- TROJ_YABE.AE (Trend Micro)
- Trojan-Downloader.Win32.Nurech.c (Kaspersky)
Characteristics
Characteristics -
When executed the trojan creates copies of itself in the victim's system and configures itself to load at system startup as well.
Symptoms
Symptoms -
It creates the following network connection:
- upnp.exe server:zxcvz.com port:80
When executed the trojan creates copies of itself as below:
- %SYSTEMDIR%\upnp.exe ( 11109 bytes )
- c:\documents and settings\%USER%\local settings\temporary
internet files\content.ie5\ktx34vgq\c[1].php ( 91408 bytes )
Registry keys are also created and/or modified as following:
- hkey_current_user\software\unker
- hkey_current_user\software\unker\rechnung
- hkey_current_user\software\unker\upnp
- hkey_local_machine\software\microsoft\windows\currentversion\run
\np="%SYSTEMDIR%\upnp.exe"
Method of Infection
Method of Infection -
N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these additionally are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
