Virus Alert: Trojan Downloads, Deploys Additional Components

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Troj/DownLdr-DI is a malicious program that downloads and deploys additional components from URLs stored (in encrypted form) inside the program. Because these components are fetched only when you run the Trojan, their contents may change at any time. Sophos has received several reports of this Trojan from users who appear to have received it in an orchestrated email blast, presumably by the Trojan's author. More information is at this Sophos page.

W32/Lohack.c@MM Arrives in Email Message

This is a simple mass-mailing worm that also spreads via the KaZaa file-sharing network. It is a UPX packed Microsoft Visual C++ executable and arrives in an email message containing the following information:
Subject: Windows update
Body: Install this Windows update (for all versions)
Attachment: windows_update.txt.exe

Running the attachment causes the worm to send itself, using MAPI, to email addresses found in .DBX, .EML, .HTM, .IDX, .MDX, .MSG, .NCH, and .TXT files found on the system. If the user does not run the attachment, but does visit the link in the email message, script on the page will attempt to refresh and load an email file "update.eml". The email file contains an IFrame exploit which may launch an embedded copy of "windows_update.txt.exe". Read more at this McAfee page.

BackDoor-AXQ Spreads Manually

This is a remote access Trojan. It is spread manually and may arrive with the file name winrcLoader.exe, however, is not limited to this file name or extension. It opens a TCP port (1976) to allow a remote attacker to perform various tasks on an infected system. When run, the Trojan installs 3 components to the WINDOWS (%WinDir%) directory:
--winrc.htm (130 bytes)
--winrc.dll (28,672 bytes)
--winrcobj.dll (126,976 bytes)

It also copies itself to this directory and creates an HTML file, winrc.htm. Several registry keys are created. View them and other information at this McAfee page.

Multiple Versions of Downloader-DI Trojan Exist

The versions of Download-DI are known to have been spammed out to users by email. Users are recommended to use the latest engine/DATs for optimal detection.

When run, it connects to the hacker's site to download a remote file. This remote file is a backdoor Trojan, detected as BackDoor-AXJ. Spammed email messages with various characteristics have been reported. For example:
From: Wells Fargo Accounting
To: username
Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489
Attachment: wellsfargo.biz.jsessionid=5QWBU8TLSM01.pif

More information is at this McAfee page.

Worm_Jantic.B Sends Out Mass Emails

This variant of WORM_JANTIC.A mass-mails copies of itself all addresses listed in the Microsoft Outlook address book. It sends out an email with any of a variety of formats. View them at this Trend Micro page.

--Compiled by Esther Shein

Submit a Comment

Loading Comments...