Content

Downloader-BLV

Type
Trojan
SubType
Downloader
Discovery Date
12/05/2008
Length
Minimum DAT
5455 (12/05/2008)
Updated DAT
5759 (10/02/2009)
Minimum Engine
5.2.00
Description Added
12/06/2008
Description Modified
10/02/2009 1:55 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update October 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2009/10/01/stego_botnet_control/

--

Once executed, the trojan drops the following file:

  • %System%\mst123.dll

It added the following registry entries:

  • HKEY_CURRENT_USER\Software\Classes\PROTOCOLS\Filter\text/html  (Default) = "Microsoft Default HTML MIME Filter" 
  • HKEY_CURRENT_USER\Software\Classes\PROTOCOLS\Filter\text/html CLSID = "{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}" 
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  (Default) = "%System%\mst123.dll"
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  ThreadingModel = "Apartment" 
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html  (Default) = "Microsoft Default HTML MIME Filter" 
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html  CLSID = "{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}" 
  • HKEY_CLASSES_ROOT\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  (Default) = "%System%\mst123.dll" 
  • HKEY_CLASSES_ROOT\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  ThreadingModel = "Apartment" 

It searches and attempts to terminate the following processes:

  • seccenter.exe
  • uiscan.exe
  • SSU.exe
  • SpySweeperUI.exe
  • SpySweeper.exe
  • WRConsumerService.exe
  • syssvcnt.exe
  • dvpapi.exe
  • THSM.EXE
  • THD32.EXE
  • THAV.EXE
  • GDFwSvc.exe
  • GDFirewallTray.exe
  • AVKWCtl.exe
  • AVKTray.exe
  • AVKService.exe
  • AVKProxy.exe
  • TFService.exe
  • pctsTray.exe
  • pctsSvc.exe
  • pctsAuxs.exe
  • BDTUpdateService.exe
  • sbamui.exe
  • SBAMTray.exe
  • SBAMSvc.exe
  • VMwareUser.exe
  • VMwareTray.exe
  • VMwareService.exe
  • vmacthlp.exe
  • K7TSMngr.exe
  • K7TSecurity.exe
  • K7SysTry.exe
  • K7SysMon.exe
  • K7RTScan.exe
  • K7PSSrvc.exe
  • K7FWSrvc.exe
  • K7EmlPxy.exe
  • vrrepair.exe
  • vrmonsvc.exe
  • vrmonnt.exe
  • vrfwsvc.exe
  • vrfwsock.exe
  • hsvcmod.exe
  • HrRes.exe
  • hpcsvc.exe
  • HFACSvc.exe
  • spiderui.exe
  • spidernt.exe
  • spiderml.exe
  • drwebscd.exe
  • WinSSUI.exe
  • winssnotify.exe
  • winss.exe
  • OcHealthMon.exe
  • msfwsvc.exe
  • CounterSpy.exe
  • SBCSTray.exe
  • SBCSSvc.exe
  • Nsesvc.exe
  • CClaw.exe
  • Nvcoas.exe
  • Nip.exe
  • Zlh.exe
  • nuaa.exe
  • npcsvc32.exe
  • Njeeves.exe
  • nvcsched.exe
  • npfsvc32.exe
  • nvoy.exe
  • Zanda.exe
  • nprosec.exe
  • elogsvc.exe
  • avgas.exe
  • guard.exe
  • AFMain.exe
  • ACASP.exe
  • ACAEGMr.exe
  • MSProxy.ahn
  • ACAAS.exe
  • ACAIS.exe
  • ACALS.exe
  • AhnSD.exe
  • AhnSDsv.exe
  • svcprs32.exe
  • PPCtlPriv.exe
  • mdmcls32.exe
  • cfgmng32.exe
  • ppctlpriv.exe
  • ccprovsp.exe
  • QOELoader.exe
  • capfasem.exe
  • cavrid.exe
  • caavguiscan.exe
  • cappactiveprotection.exe
  • cctray.exe
  • vetmsg.exe
  • ITMRTSVC.exe
  • isafe.exe
  • UmxAgent.exe
  • UmxPol.exe
  • UmxFwHlp.exe
  • UmxCfg.exe
  • CAGlobalLight.exe
  • CAGlobal.exe
  • FProtTray.exe
  • FPAVServer.exe
  • UfUpdUi.exe
  • TSCFPlatformCOMSvr
  • UfSeAgnt.exe
  • TmProxy.exe
  • TmPfw.exe
  • TMBMSRV.exe
  • SfCtlCom.exe
  • ALsvc.exe
  • SAVAdminService.exe
  • SavService.exe
  • ALMon.exe
  • avp.exe
  • egui.exe
  • ekrn.exe
  • livesrv.exe
  • bdagent.exe
  • vsserv.exe
  • xcommsvr.exe
  • avgcc.exe
  • avgamsvr.exe
  • avgupsvc.exe
  • avgemc.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgam.exe
  • avgtray.exe
  • avgfws8.exe
  • avgwdsvc.exe
  • fsav32.exe
  • fsus.exe
  • fsdfwd.exe
  • fsqh.exe
  • fsaua.exe
  • FAMEH32.exe
  • FCH32.EXE
  • FSMB32.exe
  • fsavgui.exe
  • fsguidll.exe
  • FSM32.EXE
  • fssm32.exe
  • FSMA32.EXE
  • fsgk32st.exe
  • AluSchedulerSvc.exe
  • ccSvcHst.exe
  • mcvsshld.exe
  • mcvsmap.exe
  • mcsysmon.exe
  • McSACore.exe
  • mcagent.exe
  • msksrver.exe
  • MpfSrv.exe
  • Mcshield.exe
  • McProxy.exe
  • McNASvc.exe
  • mcmscsvc.exe
  • mcupdmgr.exe
  • vbsystry.exe
  • vbcmserv.exe
  • psksvc.exe
  • PavBckPT.exe
  • IFace.exe
  • ApVxdWin.exe
  • WEBPROXY.EXE
  • APVXDWIN.EXE
  • PslmSvc.exe
  • PSHost.exe
  • PavPrSrv.exe
  • PavFnSvr.exe
  • PsCtrlS.exe
  • TPSrv.exe
  • AVENGINE.EXE
  • PAVSRV51.EXE
  • escanmon.exe
  • TRAYICOS.EXE
  • CONSCTL.EXE
  • TRAYSSER.EXE
  • avpmapp.exe
  • MWAGENT.EXE
  • MWASER.EXE
  • vba32ldr.exe
  • EMLPROUI.EXE
  • qhfw.exe
  • QUHLPSVC.EXE
  • ONLINENT.EXE
  • SCANMSG.EXE
  • UPSCHD.EXE
  • EMLPROXY.EXE
  • SCANWSCS.EXE
  • ONLNSVC.EXE
  • PXConsole.exe
  • PXAgent.exe
  • guardxkickoff.exe
  • guardxup.exe
  • guardxservice.exe
  • ashDisp.exe
  • ashWebSv.exe
  • ashMaiSv.exe
  • ashServ.exe
  • aswUpdSv.exe
  • RavMon.exe
  • RavTask.exe
  • RavStub.exe
  • RavMonD.exe
  • CCenter.exe
  • mantispm.exe
  • zlclient.exe
  • Monitor.exe
  • vsmon.exe
  • avwebgrd.exe
  • avmailc.exe
  • avgwsvc.exe
  • avesvc.exe
  • avgnt.exe
  • sched.exe
  • avguard.exe

The dropped dll attempts to download file from the following urls:

  • http://88.80.[removed]/karaq/[removed].php
  • http://cdn.cdt[removed]/karaq/[removed].php
  • http://cdn.cl[removed]/karaq/[removed].php

The downloaded file has JPEG file header to disguise as image file. The trojan then decrypts the data in the file and gets urls to download and execute additional malware.

 

Symptoms

  • Presence of previously mentioned registry keys.
  • Presence of previously mentioned files.
  • Presence of unexpected network connections to previously mentioned URLs.

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update October 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2009/10/01/stego_botnet_control/

--

Downloader-BLV is a trojan that downloads additional malware.

Characteristics

Characteristics -

-- Update October 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2009/10/01/stego_botnet_control/

--

Once executed, the trojan drops the following file:

  • %System%\mst123.dll

It added the following registry entries:

  • HKEY_CURRENT_USER\Software\Classes\PROTOCOLS\Filter\text/html  (Default) = "Microsoft Default HTML MIME Filter" 
  • HKEY_CURRENT_USER\Software\Classes\PROTOCOLS\Filter\text/html CLSID = "{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}" 
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  (Default) = "%System%\mst123.dll"
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  ThreadingModel = "Apartment" 
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html  (Default) = "Microsoft Default HTML MIME Filter" 
  • HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html  CLSID = "{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}" 
  • HKEY_CLASSES_ROOT\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  (Default) = "%System%\mst123.dll" 
  • HKEY_CLASSES_ROOT\CLSID\{bea28dc4-c24a-49ab-8c36-1eb03d2f6d36}\InProcServer32  ThreadingModel = "Apartment" 

It searches and attempts to terminate the following processes:

  • seccenter.exe
  • uiscan.exe
  • SSU.exe
  • SpySweeperUI.exe
  • SpySweeper.exe
  • WRConsumerService.exe
  • syssvcnt.exe
  • dvpapi.exe
  • THSM.EXE
  • THD32.EXE
  • THAV.EXE
  • GDFwSvc.exe
  • GDFirewallTray.exe
  • AVKWCtl.exe
  • AVKTray.exe
  • AVKService.exe
  • AVKProxy.exe
  • TFService.exe
  • pctsTray.exe
  • pctsSvc.exe
  • pctsAuxs.exe
  • BDTUpdateService.exe
  • sbamui.exe
  • SBAMTray.exe
  • SBAMSvc.exe
  • VMwareUser.exe
  • VMwareTray.exe
  • VMwareService.exe
  • vmacthlp.exe
  • K7TSMngr.exe
  • K7TSecurity.exe
  • K7SysTry.exe
  • K7SysMon.exe
  • K7RTScan.exe
  • K7PSSrvc.exe
  • K7FWSrvc.exe
  • K7EmlPxy.exe
  • vrrepair.exe
  • vrmonsvc.exe
  • vrmonnt.exe
  • vrfwsvc.exe
  • vrfwsock.exe
  • hsvcmod.exe
  • HrRes.exe
  • hpcsvc.exe
  • HFACSvc.exe
  • spiderui.exe
  • spidernt.exe
  • spiderml.exe
  • drwebscd.exe
  • WinSSUI.exe
  • winssnotify.exe
  • winss.exe
  • OcHealthMon.exe
  • msfwsvc.exe
  • CounterSpy.exe
  • SBCSTray.exe
  • SBCSSvc.exe
  • Nsesvc.exe
  • CClaw.exe
  • Nvcoas.exe
  • Nip.exe
  • Zlh.exe
  • nuaa.exe
  • npcsvc32.exe
  • Njeeves.exe
  • nvcsched.exe
  • npfsvc32.exe
  • nvoy.exe
  • Zanda.exe
  • nprosec.exe
  • elogsvc.exe
  • avgas.exe
  • guard.exe
  • AFMain.exe
  • ACASP.exe
  • ACAEGMr.exe
  • MSProxy.ahn
  • ACAAS.exe
  • ACAIS.exe
  • ACALS.exe
  • AhnSD.exe
  • AhnSDsv.exe
  • svcprs32.exe
  • PPCtlPriv.exe
  • mdmcls32.exe
  • cfgmng32.exe
  • ppctlpriv.exe
  • ccprovsp.exe
  • QOELoader.exe
  • capfasem.exe
  • cavrid.exe
  • caavguiscan.exe
  • cappactiveprotection.exe
  • cctray.exe
  • vetmsg.exe
  • ITMRTSVC.exe
  • isafe.exe
  • UmxAgent.exe
  • UmxPol.exe
  • UmxFwHlp.exe
  • UmxCfg.exe
  • CAGlobalLight.exe
  • CAGlobal.exe
  • FProtTray.exe
  • FPAVServer.exe
  • UfUpdUi.exe
  • TSCFPlatformCOMSvr
  • UfSeAgnt.exe
  • TmProxy.exe
  • TmPfw.exe
  • TMBMSRV.exe
  • SfCtlCom.exe
  • ALsvc.exe
  • SAVAdminService.exe
  • SavService.exe
  • ALMon.exe
  • avp.exe
  • egui.exe
  • ekrn.exe
  • livesrv.exe
  • bdagent.exe
  • vsserv.exe
  • xcommsvr.exe
  • avgcc.exe
  • avgamsvr.exe
  • avgupsvc.exe
  • avgemc.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgam.exe
  • avgtray.exe
  • avgfws8.exe
  • avgwdsvc.exe
  • fsav32.exe
  • fsus.exe
  • fsdfwd.exe
  • fsqh.exe
  • fsaua.exe
  • FAMEH32.exe
  • FCH32.EXE
  • FSMB32.exe
  • fsavgui.exe
  • fsguidll.exe
  • FSM32.EXE
  • fssm32.exe
  • FSMA32.EXE
  • fsgk32st.exe
  • AluSchedulerSvc.exe
  • ccSvcHst.exe
  • mcvsshld.exe
  • mcvsmap.exe
  • mcsysmon.exe
  • McSACore.exe
  • mcagent.exe
  • msksrver.exe
  • MpfSrv.exe
  • Mcshield.exe
  • McProxy.exe
  • McNASvc.exe
  • mcmscsvc.exe
  • mcupdmgr.exe
  • vbsystry.exe
  • vbcmserv.exe
  • psksvc.exe
  • PavBckPT.exe
  • IFace.exe
  • ApVxdWin.exe
  • WEBPROXY.EXE
  • APVXDWIN.EXE
  • PslmSvc.exe
  • PSHost.exe
  • PavPrSrv.exe
  • PavFnSvr.exe
  • PsCtrlS.exe
  • TPSrv.exe
  • AVENGINE.EXE
  • PAVSRV51.EXE
  • escanmon.exe
  • TRAYICOS.EXE
  • CONSCTL.EXE
  • TRAYSSER.EXE
  • avpmapp.exe
  • MWAGENT.EXE
  • MWASER.EXE
  • vba32ldr.exe
  • EMLPROUI.EXE
  • qhfw.exe
  • QUHLPSVC.EXE
  • ONLINENT.EXE
  • SCANMSG.EXE
  • UPSCHD.EXE
  • EMLPROXY.EXE
  • SCANWSCS.EXE
  • ONLNSVC.EXE
  • PXConsole.exe
  • PXAgent.exe
  • guardxkickoff.exe
  • guardxup.exe
  • guardxservice.exe
  • ashDisp.exe
  • ashWebSv.exe
  • ashMaiSv.exe
  • ashServ.exe
  • aswUpdSv.exe
  • RavMon.exe
  • RavTask.exe
  • RavStub.exe
  • RavMonD.exe
  • CCenter.exe
  • mantispm.exe
  • zlclient.exe
  • Monitor.exe
  • vsmon.exe
  • avwebgrd.exe
  • avmailc.exe
  • avgwsvc.exe
  • avesvc.exe
  • avgnt.exe
  • sched.exe
  • avguard.exe

The dropped dll attempts to download file from the following urls:

  • http://88.80.[removed]/karaq/[removed].php
  • http://cdn.cdt[removed]/karaq/[removed].php
  • http://cdn.cl[removed]/karaq/[removed].php

The downloaded file has JPEG file header to disguise as image file. The trojan then decrypts the data in the file and gets urls to download and execute additional malware.

 

Symptoms

Symptoms -

  • Presence of previously mentioned registry keys.
  • Presence of previously mentioned files.
  • Presence of unexpected network connections to previously mentioned URLs.

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A