McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

-- Update November 10th, 2010--

Some variants have been identified as being infected with the parasitic virus W32/Virut.n.gen.

-----------------------------------

This is an update version of Downloader-CJX, which is better described at http://vil.nai.com/vil/content/v_268362.htm

This new variant has been updated to exploit a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

Upon execution, the malware drops the files listed in Downloader-CJX description, including the LNK files with common folder names, and also tries to hide the folders with same name.

But it also drops a file namex "xxx.dll" and several LNK files with random 3-letter names exploiting the Windows Shell vulnerability to load that DLL whenever the user look at them in Explorer.exe.

The DLL is already detected as Generic.dx!tfh and the LNK files as Exploit-CVE-2010-2568

Symptoms

The presence of aforementioned files and network connections.

Method of Infection

This malware spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file or the LNK exploit files could cause automatic execution of the worm.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants

N/A

All Information

Overview -

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.

Characteristics

Characteristics -

-- Update November 10th, 2010--

Some variants have been identified as being infected with the parasitic virus W32/Virut.n.gen.

-----------------------------------

This is an update version of Downloader-CJX, which is better described at http://vil.nai.com/vil/content/v_268362.htm

This new variant has been updated to exploit a specific vulnerability in the Microsoft Windows Shell as described in CVE-2010-2568.

Upon execution, the malware drops the files listed in Downloader-CJX description, including the LNK files with common folder names, and also tries to hide the folders with same name.

But it also drops a file namex "xxx.dll" and several LNK files with random 3-letter names exploiting the Windows Shell vulnerability to load that DLL whenever the user look at them in Explorer.exe.

The DLL is already detected as Generic.dx!tfh and the LNK files as Exploit-CVE-2010-2568

Symptoms

Symptoms -

The presence of aforementioned files and network connections.

Method of Infection

Method of Infection -

This malware spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file or the LNK exploit files could cause automatic execution of the worm.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

Variants -

N/A