Content
Downloader-BDU
- Type
- Trojan
- SubType
- Downloader
- Discovery Date
- 08/06/2007
- Length
- 32.768
- Minimum DAT
- 5092 (08/07/2007)
- Updated DAT
- 5092 (08/07/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 08/06/2007
- Description Modified
- 08/06/2007 7:35 AM (PT)
Tab Navigation
Characteristics
Detection was added to cover protection against a malicious 32 bit downloader trojan originally called "html32.exe" , having a filesize of 32.768 bytes. The file is written with MSVB6 and is not internally compressed with a packer.
Upon running, it displays a small messagebox titled "Your e-mail:Confirmed!" and content "Thank You!"
The Downloader has in between silently copied itself to the %windows% directory and made a registry entry to launch itself automatically upon system startup, for example on a Win2000 system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows HTML"
with Data: C:\WINNT\html32.exe (filesize 32.768 bytes)
It tries to access a specified website to download further files from:
It also makes a log entry on:
The exact webaddresses are modified on purpose here with # markings.
It uses the port 1917.
Symptoms
- Presence of a malicious 32 bit downloader originally called "html32.exe" , having a filesize of 32.768 bytes.
- Seeing a small messagebox titled "Your e-mail:Confirmed!" and content "Thank You!"
- Unexpected traffic to: http://###.netf###s.com/up#.exe
- Unexpected traffic to: http://###.netf###s.com/sc#.exe
- Unexpected traffic to: http://scu###.100web###e.net/cgi-bin/###/RAlog.cgi?action=log
- Unexpected use of port 1917
Method of Infection
- Manual infection - there's no exploit associated with it
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
- Detection was added to cover protection against a malicious 32 bit downloader trojan originally called "html32.exe" , having a filesize of 32.768 bytes.
Aliases
- downloader.vb.vo (avg)
- trojan-downloader.win32.vb.cp (avp)
- trojan.downloader.29235 (drweb)
Characteristics
Characteristics -
Detection was added to cover protection against a malicious 32 bit downloader trojan originally called "html32.exe" , having a filesize of 32.768 bytes. The file is written with MSVB6 and is not internally compressed with a packer.
Upon running, it displays a small messagebox titled "Your e-mail:Confirmed!" and content "Thank You!"
The Downloader has in between silently copied itself to the %windows% directory and made a registry entry to launch itself automatically upon system startup, for example on a Win2000 system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows HTML"
with Data: C:\WINNT\html32.exe (filesize 32.768 bytes)
It tries to access a specified website to download further files from:
It also makes a log entry on:
The exact webaddresses are modified on purpose here with # markings.
It uses the port 1917.
Symptoms
Symptoms -
- Presence of a malicious 32 bit downloader originally called "html32.exe" , having a filesize of 32.768 bytes.
- Seeing a small messagebox titled "Your e-mail:Confirmed!" and content "Thank You!"
- Unexpected traffic to: http://###.netf###s.com/up#.exe
- Unexpected traffic to: http://###.netf###s.com/sc#.exe
- Unexpected traffic to: http://scu###.100web###e.net/cgi-bin/###/RAlog.cgi?action=log
- Unexpected use of port 1917
Method of Infection
Method of Infection -
- Manual infection - there's no exploit associated with it
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
