Content

Downloader-BO.dr

Type
Trojan
SubType
VbScript
Discovery Date
11/16/2002
Length
13,298 bytes
Minimum DAT
4234 (11/20/2002)
Updated DAT
4250 (02/26/2003)
Minimum Engine
5.1.00
Description Added
11/19/2002
Description Modified
10/31/2003 11:48 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update Oct 31, 2003--
Another mass-spamming of this trojan occurred today.  Under the file name undelivered.hta, the trojan creates the file c:\mware.exe,  which is the W32/Mimail.c@MM worm.

-- Update May 23, 2003--
Another large spamming of this trojan was sent yesterday. The 4.2.40 engine and current DATs detect this threat. The message is as follows:

Subject: Undelivered Mail Returned to Sender
Body: There were errors processing you mail. Please, read detailed information in the attachment
Attachment: Error.hta

-- Update May 09, 2003--
The risk assessment of this threat was updated to Low-Profiled due to media attention at the following site: http://www.infoworld.com/article/03/05/09/HNmothersday_1.html

-- Update May 07, 2003--
Periodically new variants of this trojan are spammed to a large number of email addresses. The latest round occurred yesterday with a message using the following information:

Subject: Warning: could not send message!
Attachment: Error.hta

When the attachment is run the following window appears:

************************************************ THIS IS A WARNING MESSAGE ONLY **** YOU DO NOT NEED TO RESEND YOUR MESSAGE ************************************************The original message was received at Tue, 06 May 2003 15:08:31 -0400 (GMT)from wI0lH550Iz@usa.net----- The following addresses had transient non-fatal errors -----domreg@ociweb.com----- Transcript of session follows -----451 domreg@ociweb.com... ociweb.com: Name server timeoutWarning: message still undelivered after 4 hoursWill keep trying until message is 5 days old

This variant is detected with the current DAT files.
---- End Update ----

This threat is detected as Downloader-BO.dr. This threat has been known to have been SPAMMED to many users. The message may arrive as follows:

From: MAILER-DAEMON@%recipient domain%
Subject: FAILED DELIVERY
Body :


Unfortunately, it was not possible to deliver one or more of your messages. For more information, please, take a look in the attachment.

or Body:


Your message, attached
did not reach the reciepent. %number% @%recipient domain% #5.5.0 smtp; 550 Requested action not taken: mailbox unavailable.

Attachment: mail.hta

The MAIL.HTA attachment displays a fake skin cream advert in HTML format.

--------------------------------------------------------------------------------The following message was sent to you as an opt-in subscriber to EmailStimulator or its affiliates. We will continue to bring you valuable offers on the products and services that interest you most. To no longer receive these offers, please click here.Unsubscribe.-------------------------------------------------------------------------------- We are so positive that this remarkable, new cream will perform like no other cream you have ever tried that we are offering you a trial sample at absolutely no cost to you. You'll discover that within a few short weeks of using Perfection by Paradise your skin will undergo such a magnificent transformation that you will never want to be without it again. Perfection by Paradise offers you a totally unique approach to achieving ageless, smooth, and vitally young skin. Perfection saturates layer after layer of thirsty skin cells with humectants to hold in moisture and protein to revitalize. The result? Skin cells that are plumped up, not dry, and packed with healthy protein...and a massive reduction in lines, signs of stress, roughness and skin damage. Our supply is extremely limited and the demand is staggering so please take advantage of our incredible offer before it's too late. Just click the link provided below for the best skin of your life.Click Here!--------------------------------------------------------------------------------The message above was sent to you as an opt-in subscriber to EmailStimulator or its affiliates. We will continue to bring you valuable offers on the products and services that interest you most. To no longer receive these offers, please click here. Unsubscribe.http://unsubscribe.e54.org/g/unsubscribe.php To have your email address removed by postal mail or fax...Email Stimulator, Inc.5500 Military Trail, Suite 22-111Jupiter, FL 33458443.785.2646 (Fax)

This HTA file contains an embedded VBScript.
The script will drop the file C:\sys615.scr or c:\Progra~1\Outloo~1\outl32.scr and execute it. This .SCR file is detected as Downloader-BO with the 4233 DAT files or higher.

Symptoms

The presence of the file C:\sys615.scr or c:\Progra~1\Outloo~1\outl32.scr.

Method of Infection

This trojan dropper arrives as an HTML file with an .HTA extension. This HTML file contains a VBScript that writes out an executable to the local file system.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Downloader.BO.B.dr (Symantec)
  • TrojanDropper.VBS.Inor (Kaspersky)
  • VBS/Inor (Panda)
  • VBS/Maz.Worm (CA)
  • VBS_INOR (Trend)

Characteristics

Characteristics -

-- Update Oct 31, 2003--
Another mass-spamming of this trojan occurred today.  Under the file name undelivered.hta, the trojan creates the file c:\mware.exe,  which is the W32/Mimail.c@MM worm.

-- Update May 23, 2003--
Another large spamming of this trojan was sent yesterday. The 4.2.40 engine and current DATs detect this threat. The message is as follows:

Subject: Undelivered Mail Returned to Sender
Body: There were errors processing you mail. Please, read detailed information in the attachment
Attachment: Error.hta

-- Update May 09, 2003--
The risk assessment of this threat was updated to Low-Profiled due to media attention at the following site: http://www.infoworld.com/article/03/05/09/HNmothersday_1.html

-- Update May 07, 2003--
Periodically new variants of this trojan are spammed to a large number of email addresses. The latest round occurred yesterday with a message using the following information:

Subject: Warning: could not send message!
Attachment: Error.hta

When the attachment is run the following window appears:

************************************************ THIS IS A WARNING MESSAGE ONLY **** YOU DO NOT NEED TO RESEND YOUR MESSAGE ************************************************The original message was received at Tue, 06 May 2003 15:08:31 -0400 (GMT)from wI0lH550Iz@usa.net----- The following addresses had transient non-fatal errors -----domreg@ociweb.com----- Transcript of session follows -----451 domreg@ociweb.com... ociweb.com: Name server timeoutWarning: message still undelivered after 4 hoursWill keep trying until message is 5 days old

This variant is detected with the current DAT files.
---- End Update ----

This threat is detected as Downloader-BO.dr. This threat has been known to have been SPAMMED to many users. The message may arrive as follows:

From: MAILER-DAEMON@%recipient domain%
Subject: FAILED DELIVERY
Body :


Unfortunately, it was not possible to deliver one or more of your messages. For more information, please, take a look in the attachment.

or Body:


Your message, attached
did not reach the reciepent. %number% @%recipient domain% #5.5.0 smtp; 550 Requested action not taken: mailbox unavailable.

Attachment: mail.hta

The MAIL.HTA attachment displays a fake skin cream advert in HTML format.

--------------------------------------------------------------------------------The following message was sent to you as an opt-in subscriber to EmailStimulator or its affiliates. We will continue to bring you valuable offers on the products and services that interest you most. To no longer receive these offers, please click here.Unsubscribe.-------------------------------------------------------------------------------- We are so positive that this remarkable, new cream will perform like no other cream you have ever tried that we are offering you a trial sample at absolutely no cost to you. You'll discover that within a few short weeks of using Perfection by Paradise your skin will undergo such a magnificent transformation that you will never want to be without it again. Perfection by Paradise offers you a totally unique approach to achieving ageless, smooth, and vitally young skin. Perfection saturates layer after layer of thirsty skin cells with humectants to hold in moisture and protein to revitalize. The result? Skin cells that are plumped up, not dry, and packed with healthy protein...and a massive reduction in lines, signs of stress, roughness and skin damage. Our supply is extremely limited and the demand is staggering so please take advantage of our incredible offer before it's too late. Just click the link provided below for the best skin of your life.Click Here!--------------------------------------------------------------------------------The message above was sent to you as an opt-in subscriber to EmailStimulator or its affiliates. We will continue to bring you valuable offers on the products and services that interest you most. To no longer receive these offers, please click here. Unsubscribe.http://unsubscribe.e54.org/g/unsubscribe.php To have your email address removed by postal mail or fax...Email Stimulator, Inc.5500 Military Trail, Suite 22-111Jupiter, FL 33458443.785.2646 (Fax)

This HTA file contains an embedded VBScript.
The script will drop the file C:\sys615.scr or c:\Progra~1\Outloo~1\outl32.scr and execute it. This .SCR file is detected as Downloader-BO with the 4233 DAT files or higher.

Symptoms

Symptoms -

The presence of the file C:\sys615.scr or c:\Progra~1\Outloo~1\outl32.scr.

Method of Infection

Method of Infection -

This trojan dropper arrives as an HTML file with an .HTA extension. This HTML file contains a VBScript that writes out an executable to the local file system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

    N/A