McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.ldr

• Downloader.cfg

• Troj/Downloader

• Trojan.Win32.Loder.WPW

• W95/Loader

• WWWPW

Characteristics

Jan 10/2002: Many more downloader trojans have been found; they are named by an alphabet sequence (Downloader-B then Downloader-C and so on.)

This trojan was found by Virus Patrol in several newsgroup postings as the filename "QuickFlick.mpg.exe". This trojan downloads another trojan from the Internet and runs it silently. The downloaded trojan is identified as BackDoor-Sub7. A security group known as "NETSEC" alerted the Internet community about BackDoor-Sub7 by calling it "Serbian Badman Trojan (TSB Trojan". Users most affected by this trojan are not running AntiVirus software. Other news stories suggest that the controlling trojan which is downloaded is a new threat - it is not. Although the trojan known as "Downloader" is new, the file downloaded is a known trojan.

This is a trojan which downloads components from the Internet via http transfer. This method makes it dangerous in that the transferred file could be anything.

When run, it connects via http to a host then downloads *and* silently runs the real trojan. Although the icon for initial trojan which downloads the second trojan is a standard EXE icon, the file which is downloaded is a movie player icon. If a user trusts the icon rather than the file extension, they will be deceived.

Symptoms

Open port connection. Use NETSTAT -A to determine if a port is open to the Internet which is not known or assigned to a known running application.

Method of Infection

This trojan was created using a construction kit known as "WWWPW".

If this trojan is executed, it will attempt to connect to a predetermined url and download a predetermined file name. At present, this file name contains a remote access trojan known as BackDoor-G2 (Sub7).

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.ldr

• Downloader.cfg

• Troj/Downloader

• Trojan.Win32.Loder.WPW

• W95/Loader

• WWWPW

Characteristics

Characteristics -

Jan 10/2002: Many more downloader trojans have been found; they are named by an alphabet sequence (Downloader-B then Downloader-C and so on.)

This trojan was found by Virus Patrol in several newsgroup postings as the filename "QuickFlick.mpg.exe". This trojan downloads another trojan from the Internet and runs it silently. The downloaded trojan is identified as BackDoor-Sub7. A security group known as "NETSEC" alerted the Internet community about BackDoor-Sub7 by calling it "Serbian Badman Trojan (TSB Trojan". Users most affected by this trojan are not running AntiVirus software. Other news stories suggest that the controlling trojan which is downloaded is a new threat - it is not. Although the trojan known as "Downloader" is new, the file downloaded is a known trojan.

This is a trojan which downloads components from the Internet via http transfer. This method makes it dangerous in that the transferred file could be anything.

When run, it connects via http to a host then downloads *and* silently runs the real trojan. Although the icon for initial trojan which downloads the second trojan is a standard EXE icon, the file which is downloaded is a movie player icon. If a user trusts the icon rather than the file extension, they will be deceived.

Symptoms

Symptoms -

Open port connection. Use NETSTAT -A to determine if a port is open to the Internet which is not known or assigned to a known running application.

Method of Infection

Method of Infection -

This trojan was created using a construction kit known as "WWWPW".

If this trojan is executed, it will attempt to connect to a predetermined url and download a predetermined file name. At present, this file name contains a remote access trojan known as BackDoor-G2 (Sub7).

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A