Samker's Computer Forum - SCforum.info

World TOP Headlines: => Latest Security News & Alerts => Topic started by: Amker on 16. June 2007., 15:21:31

Title: Downloader-AZM
Post by: Amker on 16. June 2007., 15:21:31
This trojan downloads variants of various password stealers including password stealer for games. The download site may vary but it is observed to use a configuration file before starting the download. This configuration file is detected as PWS-Lineage.ini. The downloaded files are detected as PWS-Lineage.
Characteristics -


The recent variant of this trojan is observed to contact the following website to download.
hxxp://0011.89111.cn

It may change the internet explorer setting to make the default page as www[.]sina.com.cn

It adds the following registry key to restart on reboot
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ravshell: "%programfiles%\Eset\1explore.exe" (Filename may vary)

The downloader copies itself at
%programfiles%\Eset\1explore.exe (Filename may vary)

Some variants drop the following rootkit.
%SystemDir%\norton.sys (detected as Vanti.sys)
Symptoms -


TCP traffic at
hxxp://0011.89111.cn (60.190.118.19)

Presence of aforementioned registry key and file.

Due to execution of downloaded files the infected computer may have registry keys similar to below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "%temp%\woso.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa: "%temp%\mhso.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxsa: "%temp%\rxso.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B202102-FE38-11cf-64CD-21FF5FE1CF20}\StubPath: "%sysdir%\<RANDOM>.exe"

It is recommended to submit all undetected files to McAfee Avert Labs for further analysis.


Method of Infection -


N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.


If you think that you are infected with this malware, please folow this link and post your problem inside of our PC Help Center - http://scforum.info/index.php/board,16.0.html