McAfee > Theat Center > Virus Detail Page

Overview

This description is for a downloader trojan, which gets downloaded through JS/Downloader-AUD and in turn downloads BackDoor-Icug.

The characteristics of this downloader with regards to files downloaded etc will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Troj_Small.HCK (Trend Micro)

• Trojan.Win32.Small.mi (Kaspersky)

• W32.Smalltroj.BHXI (Norman)

Characteristics

At the time of writing this description, this downloader trojan was being downloaded through JS/Downloader-AUD.

When JS/Downloader-AUD is successfully executed on the victim's machine, it connects to "http://64.38.{blocked}/~ftpcom" and downloads a file named "file.php".

This file is actually an executable file which uses the ".php" extension to elude the user.

When this downloaded file is run, it injects itself into svchost.exe and in turn connects to "http://64.38.{blocked}/~ftpcom"
and "http://194.146.{blocked}/ld/guc" and downloads more files to the following folders:

• %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
• %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\[Random Folder]\ld_guc[1].exe
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\[Random Folder]\n1[1].exe

The downloaded files are detected as BackDoor-Icug.

Note:

• In an attempt to make the downloaded files harder to find, the files have their attributes changed to hidden and system
• Software based firewall on the infected machine might not alert about the downloader trying to connect to the internet.
  This is because, the downloader injects itself into svchost.exe to connect to the internet
• %ProgramFiles% and %UserProfile% are variable locations which refer to the program files folder and the user profile
  folder respectively

Symptoms

The presence of the files mentioned is a good symptom of being infected by this downloader.

Method of Infection

This downloader trojan is downloaded by JS/Downloader-AUD. It does not self-replicate.

It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for a downloader trojan, which gets downloaded through JS/Downloader-AUD and in turn downloads BackDoor-Icug.

The characteristics of this downloader with regards to files downloaded etc will differ depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Troj_Small.HCK (Trend Micro)

• Trojan.Win32.Small.mi (Kaspersky)

• W32.Smalltroj.BHXI (Norman)

Characteristics

Characteristics -

At the time of writing this description, this downloader trojan was being downloaded through JS/Downloader-AUD.

When JS/Downloader-AUD is successfully executed on the victim's machine, it connects to "http://64.38.{blocked}/~ftpcom" and downloads a file named "file.php".

This file is actually an executable file which uses the ".php" extension to elude the user.

When this downloaded file is run, it injects itself into svchost.exe and in turn connects to "http://64.38.{blocked}/~ftpcom"
and "http://194.146.{blocked}/ld/guc" and downloads more files to the following folders:

• %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
• %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\[Random Folder]\ld_guc[1].exe
• %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\[Random Folder]\n1[1].exe

The downloaded files are detected as BackDoor-Icug.

Note:

• In an attempt to make the downloaded files harder to find, the files have their attributes changed to hidden and system
• Software based firewall on the infected machine might not alert about the downloader trying to connect to the internet.
  This is because, the downloader injects itself into svchost.exe to connect to the internet
• %ProgramFiles% and %UserProfile% are variable locations which refer to the program files folder and the user profile
  folder respectively

Symptoms

Symptoms -

The presence of the files mentioned is a good symptom of being infected by this downloader.

Method of Infection

Method of Infection -

This downloader trojan is downloaded by JS/Downloader-AUD. It does not self-replicate.

It could spread manually, however, under the premise that the executable is something beneficial.

The Trojan may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A