Members
Stats
  • Total Posts: 28531
  • Total Topics: 8240
  • Online Today: 945
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Downloader-AZM  (Read 1992 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1081
  • KARMA: 22
  • Gender: Male
    • SCforum.info
Downloader-AZM
« on: 16. June 2007., 15:21:31 »
This trojan downloads variants of various password stealers including password stealer for games. The download site may vary but it is observed to use a configuration file before starting the download. This configuration file is detected as PWS-Lineage.ini. The downloaded files are detected as PWS-Lineage.
Characteristics -


The recent variant of this trojan is observed to contact the following website to download.
hxxp://0011.89111.cn

It may change the internet explorer setting to make the default page as www[.]sina.com.cn

It adds the following registry key to restart on reboot
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ravshell: "%programfiles%\Eset\1explore.exe" (Filename may vary)

The downloader copies itself at
%programfiles%\Eset\1explore.exe (Filename may vary)

Some variants drop the following rootkit.
%SystemDir%\norton.sys (detected as Vanti.sys)
Symptoms -


TCP traffic at
hxxp://0011.89111.cn (60.190.118.19)

Presence of aforementioned registry key and file.

Due to execution of downloaded files the infected computer may have registry keys similar to below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa: "%temp%\woso.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa: "%temp%\mhso.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxsa: "%temp%\rxso.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B202102-FE38-11cf-64CD-21FF5FE1CF20}\StubPath: "%sysdir%\<RANDOM>.exe"

It is recommended to submit all undetected files to McAfee Avert Labs for further analysis.


Method of Infection -


N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.


If you think that you are infected with this malware, please folow this link and post your problem inside of our PC Help Center - http://scforum.info/index.php/board,16.0.html


# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

Downloader-AZM
« on: 16. June 2007., 15:21:31 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising