Content

Downloader-BAR

Type
Trojan
SubType
Downloader
Discovery Date
02/15/2007
Length
68,096 bytes (EXE dropper) 29,696 bytes (DLL)
Minimum DAT
4964 (02/15/2007)
Updated DAT
5373 (08/29/2008)
Minimum Engine
5.1.00
Description Added
02/15/2007
Description Modified
05/24/2007 1:32 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Downloader-BAR is a trojan intended to silently download and execute malicious content from a remote server. It also uploads information about the infected machine to a remote web server.

When the executable is run on the victim machine, a dll file is dropped into the Windows system directory as

  • %WINDIR%\SYSTEM32\crypts.dll (29,696 bytes)

The files are internally compressed with UPX packer. The downloader uses Winlogon notification packages as registered DLLs that the Winlogon process loads at startup.

The following Registry keys are added such that the DLL is loaded by Windows upon restart:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt 
    "Asynchronous" = "0x00000001"
    "DllName"  = "crypts.dll"
    "Impersonate" = "0x00000001"
    "StartShell" = "Run"

The trojan automatically polls a remote server and is capable of performing the following tasks:

  • Gather system information (CPU, OEM identifier, OS Version, IP address, Uptime, Running Processes).
  • Download and Execute files.

After restart, and upon execution of user specified shell (Run) the DLL is loaded, and code is run to connect to any of the following remote servers via HTTP:

  •  fbceeefbdede.com
  •  fbceeefbdede.com
  •  fbecacbafaecfb.com
  •  dffbacfaaf.com
  •  efbbaaccdfddfbda.com
  •  dbafbceefae.com

The malware uses antidebugging techniques like IsDebuggerPresent() API to prevent the malware being debugged.

Symptoms

  • Existence of the Registry keys described above
  • Outgoing HTTP traffic to the domains mentioned above.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is installed on the victim machine in a way that assists in masking its activity.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Downloader-BAR is a trojan intended to silently download and execute malicious content from a remote server. It also uploads information about the infected machine to a remote web server.

Aliases

  • Trojan-Clicker.Win32.Agent.jn (Kaspersky)
  • W32/Agent.JN!tr (Fortinet )
  • Win32/Vissmod.A (CA)
  • Win32:Agent-GRJ (Avast)

Characteristics

Characteristics -

Downloader-BAR is a trojan intended to silently download and execute malicious content from a remote server. It also uploads information about the infected machine to a remote web server.

When the executable is run on the victim machine, a dll file is dropped into the Windows system directory as

  • %WINDIR%\SYSTEM32\crypts.dll (29,696 bytes)

The files are internally compressed with UPX packer. The downloader uses Winlogon notification packages as registered DLLs that the Winlogon process loads at startup.

The following Registry keys are added such that the DLL is loaded by Windows upon restart:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt 
    "Asynchronous" = "0x00000001"
    "DllName"  = "crypts.dll"
    "Impersonate" = "0x00000001"
    "StartShell" = "Run"

The trojan automatically polls a remote server and is capable of performing the following tasks:

  • Gather system information (CPU, OEM identifier, OS Version, IP address, Uptime, Running Processes).
  • Download and Execute files.

After restart, and upon execution of user specified shell (Run) the DLL is loaded, and code is run to connect to any of the following remote servers via HTTP:

  •  fbceeefbdede.com
  •  fbceeefbdede.com
  •  fbecacbafaecfb.com
  •  dffbacfaaf.com
  •  efbbaaccdfddfbda.com
  •  dbafbceefae.com

The malware uses antidebugging techniques like IsDebuggerPresent() API to prevent the malware being debugged.

Symptoms

Symptoms -

  • Existence of the Registry keys described above
  • Outgoing HTTP traffic to the domains mentioned above.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

Method of Infection -

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is installed on the victim machine in a way that assists in masking its activity.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A