McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Once Downloader-BCA is executed, it tries to overwrite the local copy of Windows Messenger (MSMSGS.EXE) with a new downloaded copy from

• http://[REMOVED].241.122.17/

Symptoms

It tries to download the following files

• c:\gsz2.exe
• c:\NTDETECT.EXE
• %WINDIR%\SYSTEM32\gsz21.exe
• %WINDIR%\SYSTEM32\impai.exe
• %WINDIR%\SYSTEM32\NIW.exe
• %WINDIR%\SYSTEM32\RuuS.dll
• %WINDIR%\RuuS.exe

It changes Internet Explorer start page to

• http://www.wangyou315.com/[REMOVED]

It changes TXT file association in order to run with

• %WINDIR%\SYSTEM32\impai.exe

The malware initiates traffic to

• http://[REMOVED].241.122.17/

Method of Infection

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

Once Downloader-BCA is executed, it tries to overwrite the local copy of Windows Messenger (MSMSGS.EXE) with a new downloaded copy from

• http://[REMOVED].241.122.17/

Symptoms

Symptoms -

It tries to download the following files

• c:\gsz2.exe
• c:\NTDETECT.EXE
• %WINDIR%\SYSTEM32\gsz21.exe
• %WINDIR%\SYSTEM32\impai.exe
• %WINDIR%\SYSTEM32\NIW.exe
• %WINDIR%\SYSTEM32\RuuS.dll
• %WINDIR%\RuuS.exe

It changes Internet Explorer start page to

• http://www.wangyou315.com/[REMOVED]

It changes TXT file association in order to run with

• %WINDIR%\SYSTEM32\impai.exe

The malware initiates traffic to

• http://[REMOVED].241.122.17/

Method of Infection

Method of Infection -

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A