Content

Generic VB.b!e3cf12

Type
Trojan
SubType
Downloader
Discovery Date
10/30/2007
Length
73728 Bytes
Minimum DAT
5152 (10/30/2007)
Updated DAT
5919 (03/13/2010)
Minimum Engine
5.1.00
Description Added
10/30/2007
Description Modified
10/30/2007 3:43 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The trojan comes packed with another executable and gets dropped into the following locations:

  • \WINDOWS\WindowsUpdateTool.exe (Size: 73,728 bytes)
  • \WINDOWS\system32\msinet.ocx (Size: 115,016 bytes)

WindowsUpdateTool.exe would then run into memory and downloads a text file from

which would insert new entries into the

  • \WINDOWS\system32\drivers\etc\hosts

The entries would look like

  • 199.237.xxx.xx escrow.com
  • 199.237.xxx.xx www.escrow.com
  • 199.237.xxx.xx imgs.escrow.com

The effect of that is that everytime the user would try to visit escrow.com (you can find below a screenshot of the authentic website's main page), she will be directed to a different website of a similar look (find below the main page of the fake website). At the fake website users credentials will be compromised by the attackers.

 

A screenshot showing the authentic escrow.com
You can notice on the right side of the website that the owners are warning the public from fraud attacks against their website. Also, they are listing what they do NOT do.
 
 
 
A screenshot showing the fake escrow.com

Symptoms

  • Modified version of \WINDOWS\system32\drivers\etc\hosts
  • Existence of the following files \WINDOWS\WindowsUpdateTool.exe

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

The trojan comes packed with another executable and gets dropped into the following locations:

  • \WINDOWS\WindowsUpdateTool.exe (Size: 73,728 bytes)
  • \WINDOWS\system32\msinet.ocx (Size: 115,016 bytes)

WindowsUpdateTool.exe would then run into memory and downloads a text file from

which would insert new entries into the

  • \WINDOWS\system32\drivers\etc\hosts

The entries would look like

  • 199.237.xxx.xx escrow.com
  • 199.237.xxx.xx www.escrow.com
  • 199.237.xxx.xx imgs.escrow.com

The effect of that is that everytime the user would try to visit escrow.com (you can find below a screenshot of the authentic website's main page), she will be directed to a different website of a similar look (find below the main page of the fake website). At the fake website users credentials will be compromised by the attackers.

 

A screenshot showing the authentic escrow.com
You can notice on the right side of the website that the owners are warning the public from fraud attacks against their website. Also, they are listing what they do NOT do.
 
 
 
A screenshot showing the fake escrow.com

Symptoms

Symptoms -

  • Modified version of \WINDOWS\system32\drivers\etc\hosts
  • Existence of the following files \WINDOWS\WindowsUpdateTool.exe

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A