McAfee > Theat Center > Virus Detail Page

Overview

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

 

Aliases

• TR/Dldr.Gaat.B [Avira]

• W32.Changeup [Symantec]

• W32/Autorun-BFG [Sophos]

• Win32/AutoRun.VB.RD [Nod32]

• Worm.Win32.VBNA [Ikarus]

• Worm.Win32.VBNA.aitt [Kaspersky]

• Worm:Win32/Vobfus.R [Microsoft]

Characteristics

When executecd, this malware creates the following files:

• %UserProfile%\mbvoj.exe [Detected as Downloader-CJX]

Note:

• The MD5 of the malware dropped in the above location keeps changing eveytime the malware is executed
• %UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP)

The malware also drops copies of itself in any inserted usb disk, along with several .lnk files pointing to this executable. Existing folders are randomly selected and made hidden, with .lnk files created with folder icons to mimick existing folders.

The malware then creates the following registry entries:

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
  Data: "mbvoj.exe" = "%userprofile%\mbvoj.exe"

The above registry entry ensures that the malware executes on Windows Startup.

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 
  Data: "ShowSuperHidden" = 00, 00, 00, 00

The above registry entry ensures that the hidden files and folders and not displayed in Windows Explorer.

The malware attempts to connect to the following URLs to download additional malware:

• ns1.thepicture[removed].net
• bert[removed].com

Symptoms

• Presence of files and registry entries mentioned
• Unpexpected connections to the above mentioned Domains
• Presence of the following autorun.inf file on the root of removable and fixed drives:

Method of Infection

This malware spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

This malware may also be recieved under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

 

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants

N/A

All Information

Overview -

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

 

Aliases

• TR/Dldr.Gaat.B [Avira]

• W32.Changeup [Symantec]

• W32/Autorun-BFG [Sophos]

• Win32/AutoRun.VB.RD [Nod32]

• Worm.Win32.VBNA [Ikarus]

• Worm.Win32.VBNA.aitt [Kaspersky]

• Worm:Win32/Vobfus.R [Microsoft]

Characteristics

Characteristics -

When executecd, this malware creates the following files:

• %UserProfile%\mbvoj.exe [Detected as Downloader-CJX]

Note:

• The MD5 of the malware dropped in the above location keeps changing eveytime the malware is executed
• %UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP)

The malware also drops copies of itself in any inserted usb disk, along with several .lnk files pointing to this executable. Existing folders are randomly selected and made hidden, with .lnk files created with folder icons to mimick existing folders.

The malware then creates the following registry entries:

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
  Data: "mbvoj.exe" = "%userprofile%\mbvoj.exe"

The above registry entry ensures that the malware executes on Windows Startup.

• Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 
  Data: "ShowSuperHidden" = 00, 00, 00, 00

The above registry entry ensures that the hidden files and folders and not displayed in Windows Explorer.

The malware attempts to connect to the following URLs to download additional malware:

• ns1.thepicture[removed].net
• bert[removed].com

Symptoms

Symptoms -

• Presence of files and registry entries mentioned
• Unpexpected connections to the above mentioned Domains
• Presence of the following autorun.inf file on the root of removable and fixed drives:

Method of Infection

Method of Infection -

This malware spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

This malware may also be recieved under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

 

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants -

N/A