McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This detection if for the use?.dll file (where ? is a number) and the user32.dll file dropped in %ProgramDir%\Internet Explorer\ by the Downloader-AZN.dr trojan.

The use?.dll file is executed on startup because of the registry entry created by the Downloader-AZN.dr. It downloads nothing but it is used as a component. Every five minutes it executes the Downloader-AZN.dr trojan (usually a file named KVMonXP?.exe where ? is a number) with "i" as an argument, and that will cause the creation of the user32.dll file.

The file in charge of the downloading process is the user32.dll file.
It attempts to connect to a remote website, to download and automatically execute several files on the infected machine:

At first, it connects to http://mydown.79725.com/{removed}.asp?reg={value} to get a list of malwares that will be downloaded.
This list of malware is stored in %Windir%\list.exe.
The downloaded files are stored in %Windir% but their name may vary.

Then, each time it downloads a new malware, it connects to:
http://mydown.79725.com/{removed}.asp?address={Physical address of the machine}&ver={version of the downloaded file}&url={url of the downloaded file} to confirm that the file has been installed on the machine.

It creates a file named "winlk.ini" in %Windir% containing various md5 values of strings constructed like this:
{version of the malware}{URLs to download the file}.
This file is used to decide on an eventual update of the malicious files.
It also checks the content of the sysdn.ini file (previously created by the Downloader-AZN.dr trojan) in case of a newer variant of the dropper is available.

This trojan also overwrites the local HOSTS file (such as c:\windows\system32\drivers\etc\hosts) with a new one that it downloads. That prevents the local system from accessing a few domain names.
A copy of this new hosts file is created in %windir%\hosts.dat.

This trojan tries to terminate the following running processes:

* vsniffer.exe
* cmd.exe
* iris.exe
* fint2005.exe
* winpcap.exe
* wsockexpert.exe

Moreover it creates a thread that looks for some dialogs from Kaspersky Anti Virus, such as AVP.AlertDialog, AVP.Product_Notification and AVP.TrafficMonConnectionTerm. If it detects one of these dialogs, it attempts to close them.

Symptoms

Desktop firewall program alerting that a foreign application is attempting to access the Internet.
Presence of files named winlk.ini, sysdn.ini and hosts.dat in %windir%

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Trojan onto the user's system with no user interaction).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This detection if for the use?.dll file (where ? is a number) and the user32.dll file dropped in %ProgramDir%\Internet Explorer\ by the Downloader-AZN.dr trojan.

The use?.dll file is executed on startup because of the registry entry created by the Downloader-AZN.dr. It downloads nothing but it is used as a component. Every five minutes it executes the Downloader-AZN.dr trojan (usually a file named KVMonXP?.exe where ? is a number) with "i" as an argument, and that will cause the creation of the user32.dll file.

The file in charge of the downloading process is the user32.dll file.
It attempts to connect to a remote website, to download and automatically execute several files on the infected machine:

At first, it connects to http://mydown.79725.com/{removed}.asp?reg={value} to get a list of malwares that will be downloaded.
This list of malware is stored in %Windir%\list.exe.
The downloaded files are stored in %Windir% but their name may vary.

Then, each time it downloads a new malware, it connects to:
http://mydown.79725.com/{removed}.asp?address={Physical address of the machine}&ver={version of the downloaded file}&url={url of the downloaded file} to confirm that the file has been installed on the machine.

It creates a file named "winlk.ini" in %Windir% containing various md5 values of strings constructed like this:
{version of the malware}{URLs to download the file}.
This file is used to decide on an eventual update of the malicious files.
It also checks the content of the sysdn.ini file (previously created by the Downloader-AZN.dr trojan) in case of a newer variant of the dropper is available.

This trojan also overwrites the local HOSTS file (such as c:\windows\system32\drivers\etc\hosts) with a new one that it downloads. That prevents the local system from accessing a few domain names.
A copy of this new hosts file is created in %windir%\hosts.dat.

This trojan tries to terminate the following running processes:

* vsniffer.exe
* cmd.exe
* iris.exe
* fint2005.exe
* winpcap.exe
* wsockexpert.exe

Moreover it creates a thread that looks for some dialogs from Kaspersky Anti Virus, such as AVP.AlertDialog, AVP.Product_Notification and AVP.TrafficMonConnectionTerm. If it detects one of these dialogs, it attempts to close them.

Symptoms

Symptoms -

Desktop firewall program alerting that a foreign application is attempting to access the Internet.
Presence of files named winlk.ini, sysdn.ini and hosts.dat in %windir%

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Trojan onto the user's system with no user interaction).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A