Content

Generic Dropper.l!9116EA24

Type
Trojan
SubType
-
Discovery Date
06/12/2008
Length
37697
Minimum DAT
5316 (06/12/2008)
Updated DAT
5316 (06/12/2008)
Minimum Engine
5.2.00
Description Added
06/12/2008
Description Modified
06/12/2008 11:22 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Name2.exe
McAfee DetectionGeneric Dropper.l
Length37,697 bytes
CRC329116EA24
MD52ba1906c0af78b4ecde623d634b78e35
SHA1361EE39F0243A78396636F98E2E25AFEB899EC30

Other Common Detection Aliases

Company NameDetection Name
AhnLabDropper/OnlineGameHack.37697
AviraTR/Crypt.NSPM.Gen
BitDefenderMemScan:Trojan.PWS.OnLineGames.WOM
Dr.WebTrojan.MulDrop.15082
eSafe (Alladin)suspicious Trojan/Worm [101]
FortiNetAgent.GYS!tr
F-Prot~W32/Heuristic-210!Eldorado
Microsofttrojandropper:win32/rootkit.afh
Normanw32/suspicious_n.gen
SophosTroj/Agent-GYS
SymantecW32.Wowinzi.A
Trend MicroPAK_Generic.005
Vba32Trojan-Dropper.Win32.Agent.rez
V-Buster~NEW_VIRUS

Avert® Labs has observed the following system activities:

ActivityRisk Level
Hijacks an Executables Execution
High
Modifies Memory of Other Processes
High
Enumerates running Processes
Medium
Enumerates open windows
Low
Registers DLLsInformational

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following registry elements have been created:

  • HKEY_CURRENT_USER\_reg\
    • shell = "c:\windows\system32\rundll32.exe" "c:\windows\system32
      \shell32.dll",control_rundll "c:\docume~1\admini~1\locals~1\temp
      \dat15.tmp"
  • HKEY_LOCAL_MACHINE\software\classes\clsid\{e25c29ab-12b9-4523-a53c-324b5fba648c}\inprocserver32\
    • (default) = c:\docume~1\admini~1\locals~1\temp\dat15.tmp
    • threadingmodel = apartment

    • The following registry elements have been changed:

  • HKEY_CURRENT_USER\sessioninformation\
    • programcount = 2
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\
    • mrulist = [binary data]
    • rxmru = [binary data]
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\desktop\
    • mrulist = [binary data]
    • rxmru = [binary data]
    • sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

    • The following registry elements have been deleted:

  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\
    • sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

    • Symptoms

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Characteristics

    Characteristics -

    File PropertyProperty Value
    File Name2.exe
    McAfee DetectionGeneric Dropper.l
    Length37,697 bytes
    CRC329116EA24
    MD52ba1906c0af78b4ecde623d634b78e35
    SHA1361EE39F0243A78396636F98E2E25AFEB899EC30

    Other Common Detection Aliases

    Company NameDetection Name
    AhnLabDropper/OnlineGameHack.37697
    AviraTR/Crypt.NSPM.Gen
    BitDefenderMemScan:Trojan.PWS.OnLineGames.WOM
    Dr.WebTrojan.MulDrop.15082
    eSafe (Alladin)suspicious Trojan/Worm [101]
    FortiNetAgent.GYS!tr
    F-Prot~W32/Heuristic-210!Eldorado
    Microsofttrojandropper:win32/rootkit.afh
    Normanw32/suspicious_n.gen
    SophosTroj/Agent-GYS
    SymantecW32.Wowinzi.A
    Trend MicroPAK_Generic.005
    Vba32Trojan-Dropper.Win32.Agent.rez
    V-Buster~NEW_VIRUS

    Avert® Labs has observed the following system activities:

    ActivityRisk Level
    Hijacks an Executables Execution
    		High
    Modifies Memory of Other Processes
    		High
    Enumerates running Processes
    		Medium
    Enumerates open windows
    		Low
    Registers DLLsInformational

    System Changes

    These are general defaults for typical path variables. (Although they may differ, these examples are common.):
    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
    %ProgramFiles% = \Program Files

    The following registry elements have been created:

  • HKEY_CURRENT_USER\_reg\
    • shell = "c:\windows\system32\rundll32.exe" "c:\windows\system32
      \shell32.dll",control_rundll "c:\docume~1\admini~1\locals~1\temp
      \dat15.tmp"
  • HKEY_LOCAL_MACHINE\software\classes\clsid\{e25c29ab-12b9-4523-a53c-324b5fba648c}\inprocserver32\
    • (default) = c:\docume~1\admini~1\locals~1\temp\dat15.tmp
    • threadingmodel = apartment

    • The following registry elements have been changed:

  • HKEY_CURRENT_USER\sessioninformation\
    • programcount = 2
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\
    • mrulist = [binary data]
    • rxmru = [binary data]
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\desktop\
    • mrulist = [binary data]
    • rxmru = [binary data]
    • sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

    • The following registry elements have been deleted:

  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\desktop\
    • sysfile = c:\documents and settings\administrator\local settings\temp
      \2.exe

    • Symptoms

    Symptoms -

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A