McAfee > Theat Center > Virus Detail Page

Overview

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Mal/Dorf-F - [Sophos]

• Trojan-Downloader.Win32.Small.gmd - [Ikarus]

• Trojan.DownLoader.36395 - [Doctor Web]

Characteristics

When executed, this downloader by itself did not seem to drop any files on the victim’s machine. However, it modified the following registry entries:

• HKEY_Local_Machine\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft
  \windows\CurrentVersion\Internet Settings
  Name: Proxy Enable
  Value: 0
• HKEY_Users\s-1-5-18\Software\Microsoft\Windows\Currentversion\Internet Settings\
  Name: Proxy Enable
  Value: 0
• HKEY_Local_Machines\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
  \Paths\Path1
  Name: CacheLimit
  Value: 32694

The above modifications to the registry could lower the security settings of “Internet Explorer”, which in turn would be used by the malware to download further malicious components.

Typical to other malware downloaders, this downloader attempted to download other malicious files from the following sites:

• ntkrnlpa.info

However, at the time of writing this description these files were found absent from the website.

Symptoms

• Presence of files/registry entries mentioned earlier
• Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet

Method of Infection

Downloader Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Mal/Dorf-F - [Sophos]

• Trojan-Downloader.Win32.Small.gmd - [Ikarus]

• Trojan.DownLoader.36395 - [Doctor Web]

Characteristics

Characteristics -

When executed, this downloader by itself did not seem to drop any files on the victim’s machine. However, it modified the following registry entries:

• HKEY_Local_Machine\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft
  \windows\CurrentVersion\Internet Settings
  Name: Proxy Enable
  Value: 0
• HKEY_Users\s-1-5-18\Software\Microsoft\Windows\Currentversion\Internet Settings\
  Name: Proxy Enable
  Value: 0
• HKEY_Local_Machines\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
  \Paths\Path1
  Name: CacheLimit
  Value: 32694

The above modifications to the registry could lower the security settings of “Internet Explorer”, which in turn would be used by the malware to download further malicious components.

Typical to other malware downloaders, this downloader attempted to download other malicious files from the following sites:

• ntkrnlpa.info

However, at the time of writing this description these files were found absent from the website.

Symptoms

Symptoms -

• Presence of files/registry entries mentioned earlier
• Software based firewall, if any installed on the machine might alert about an unknown program attempting to connect to the internet

Method of Infection

Method of Infection -

Downloader Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A