Content

Generic.dx!tkr

Type
Trojan
SubType
Win32
Discovery Date
08/18/2010
Length
Varies
Minimum DAT
6078 (08/18/2010)
Updated DAT
6484 (09/29/2011)
Minimum Engine
5.2.00
Description Added
08/18/2010
Description Modified
09/02/2010 3:23 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

"Generic.dx!tkr" is classified as Trojan category which steals personal information such as Credit card numbers and login credentials from affected systems. After gathering all sensitive information, it sends to the remote attacker.

This Trojan is a dll and it is a dropped content of the source file. It registers itself as a Browser Helper Object and injects into to following windows processes and performs malicious activity.

    • Explorer.exe
    • IExplorer.exe

The following registry values have been modified

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
      • DisableTaskmgr = "1"
      • DisableRegistryTools = "1"

This Trojan spreads via removable drives and attempts to steal sensitive information like passwords from the affected computer.

open=RECYCLER\\recycld.exe
icon=%SystemRoot%\\system32\\SHELL32.dll,4
action=Open folder to view files
shell\\open=Open
shell\\open\\command=RECYCLER\\recycld.exe
shell\\open\\default=1"

The Trojan creates the following files and stores logged keystrokes. The gathered credentials are stored in log files and sent to an attacker via e-mail as an attachment.

gdr.txt
o4h.txt
rgg.txt
dxe.txt
lpe.txt
eeef.txt
lbbf.txt
lrg.txt
fsc.txt
ide.txt
ptd.txt
qks.txt
ccdf.txt
bdf.txt

This Trojan attempts to steal the stored passwords from the following applications
    • Internet Explorer Password Protected Sites
    • MSN Explorer Signup
    • Microsoft Outlook Express
    • Internet Explorer Auto Complete Fields
    • Internet Explorer Auto Complete Passwords
    • Internet cookies
    • Passwords stored in pstore.dll

This Trojan monitors if  the user is trying to access to the “bankof[removed].com” banking website, and it takes snapshot of the system and sends to the attacker through the file name klgd.bmp.

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information –

    • MD5 - 62865552ADD3567372CD6861DDB227FC
    • SHA1 - DE796674DDA97C4402AD2CD5D0EFCD0B61AC4D36

Aliases -

    • Comodo - TrojWare.Win32.TrojanDownloader.BHO.~BA
    • Kaspersky - Trojan.Win32.Agent2.csxx
    • Microsoft - Worm:Win32/Ambler.A
    • NOD32 - a variant of sWin32/AutoRun.Spy.Ambler.NAC

Characteristics

Characteristics -

"Generic.dx!tkr" is classified as Trojan category which steals personal information such as Credit card numbers and login credentials from affected systems. After gathering all sensitive information, it sends to the remote attacker.

This Trojan is a dll and it is a dropped content of the source file. It registers itself as a Browser Helper Object and injects into to following windows processes and performs malicious activity.

    • Explorer.exe
    • IExplorer.exe

The following registry values have been modified

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
      • DisableTaskmgr = "1"
      • DisableRegistryTools = "1"

This Trojan spreads via removable drives and attempts to steal sensitive information like passwords from the affected computer.

open=RECYCLER\\recycld.exe
icon=%SystemRoot%\\system32\\SHELL32.dll,4
action=Open folder to view files
shell\\open=Open
shell\\open\\command=RECYCLER\\recycld.exe
shell\\open\\default=1"

The Trojan creates the following files and stores logged keystrokes. The gathered credentials are stored in log files and sent to an attacker via e-mail as an attachment.

gdr.txt
o4h.txt
rgg.txt
dxe.txt
lpe.txt
eeef.txt
lbbf.txt
lrg.txt
fsc.txt
ide.txt
ptd.txt
qks.txt
ccdf.txt
bdf.txt

This Trojan attempts to steal the stored passwords from the following applications
    • Internet Explorer Password Protected Sites
    • MSN Explorer Signup
    • Microsoft Outlook Express
    • Internet Explorer Auto Complete Fields
    • Internet Explorer Auto Complete Passwords
    • Internet cookies
    • Passwords stored in pstore.dll

This Trojan monitors if  the user is trying to access to the “bankof[removed].com” banking website, and it takes snapshot of the system and sends to the attacker through the file name klgd.bmp.

Symptoms

Symptoms -

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A