Content

Downloader-AZQ

Type
Trojan
SubType
Downloader
Discovery Date
12/06/2006
Length
Varies
Minimum DAT
4914 (12/08/2006)
Updated DAT
N/A ( )
Minimum Engine
5.1.00
Description Added
12/08/2006
Description Modified
12/08/2006 5:01 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When run, this trojan copies itself to the Windows System directory as wdfmgr32.exe:

  • %SysDir%\wdfmgr32.exe

It creates the following registry entry to load itself at Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\wdfmgr32="%SysDir%\wdfmgr32.exe"

It also writes itself to into the memory space of Internet Explorer, to try and bypass firewall programs

Symptoms

  • Presence of the file and registry entry listed previously

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, drive-by downloads, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Downloader-AZQ serves as a downloading/updating component for other malicious files. 
Downloader trojans make Internet connectons without the user's knowledge and downloads malicious contents.

Characteristics

Characteristics -

When run, this trojan copies itself to the Windows System directory as wdfmgr32.exe:

  • %SysDir%\wdfmgr32.exe

It creates the following registry entry to load itself at Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\wdfmgr32="%SysDir%\wdfmgr32.exe"

It also writes itself to into the memory space of Internet Explorer, to try and bypass firewall programs

Symptoms

Symptoms -

  • Presence of the file and registry entry listed previously

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, drive-by downloads, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A