SELaplana >> Security >>

Trojan-Downloader

Trojan Downloader is another variant of Trojan that downloads another program via the Internet and launches it on the victim machine without his knowledge or consent. Trojan Downloader is an encrypted Java Script within an HTML document. Trojan Downloader is 14147 bytes in size.

The Trojan Downloader activates when the infected page is opened using the web browser. You will know that the page is infected if the page shows the following message:

Not Found
The requested URL / was not found on this server.

The Trojan then decrypts its body and launches the malicious script for execution. The Trojan then uses the vulnerabilities listed below:

  1. a buffer overflow in the Live Picture Corporation DXSurface.LivePicture.FlashPix.1 ActiveX control in DXTLIPI.DLL when processing “SourceUrl()” (CVE-2007-4336)
  2. in the Windows Media Player plug-in, when processing an excessively long “src” parameter in the “embed” tag (MS06-006). The vulnerability is present when the plug-in is launched in browsers which are not Internet Explorer.
  3. in the QuickTime.QuickTime” ActiveX object (CVE-2004-0431);

This is to download a file called “ldr.exe” from the URL shown below:

http://java62.com/load.php****

This file is 48640 bytes in size. It will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Agent.ich. This file will be saved to the Windows system directory under the following name:

%System%\~.exe

The file is then launched for execution. The Trojan then uses the “Msxml2.XMLHTTP” ActiveX object, and the objects which have the following unique identifiers in the system registry:

{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}

This is to download a file called “ldr.exe” from the link shown below:

http://java62.com/load.php?MSIE

It uses the “ADODB.Stream” ActiveX object to save this file under the following name:

c:\sys.exe

rnd – four random Latin letters Example:
syskmtz.exe
syskqoq.exe

The downloaded file will then be launched for execution.

To protect your computer from Trojan-Downloader, you need to install Shield Deluxe and Security Shield.

Tweet This
Bookmark and Share
Tweet This!

Comments

Leave a Reply

Search Lyrics by Artists: 0-9 - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

Marketing / SEO Top Blogs TopOfBlogs Internet Blogs - BlogCatalog Blog Directory tracker Technology & Computers - Top Blogs Philippines Top Marketing SEO blogs Marketing & SEO Blogs