Trojan Downloader is another variant of Trojan that downloads another program via the Internet and launches it on the victim machine without his knowledge or consent. Trojan Downloader is an encrypted Java Script within an HTML document. Trojan Downloader is 14147 bytes in size.

The Trojan Downloader activates when the infected page is opened using the web browser. You will know that the page is infected if the page shows the following message:

Not Found
The requested URL / was not found on this server.

The Trojan then decrypts its body and launches the malicious script for execution. The Trojan then uses the vulnerabilities listed below:

1. a buffer overflow in the Live Picture Corporation DXSurface.LivePicture.FlashPix.1 ActiveX control in DXTLIPI.DLL when processing “SourceUrl()” (CVE-2007-4336)
2. in the Windows Media Player plug-in, when processing an excessively long “src” parameter in the “embed” tag (MS06-006). The vulnerability is present when the plug-in is launched in browsers which are not Internet Explorer.
3. in the QuickTime.QuickTime” ActiveX object (CVE-2004-0431);

This is to download a file called “ldr.exe” from the URL shown below:

http://java62.com/load.php****

This file is 48640 bytes in size. It will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Agent.ich. This file will be saved to the Windows system directory under the following name:

%System%\~.exe

The file is then launched for execution. The Trojan then uses the “Msxml2.XMLHTTP” ActiveX object, and the objects which have the following unique identifiers in the system registry:

{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43C8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44F9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496B-B050-6C07C962476B}

This is to download a file called “ldr.exe” from the link shown below:

http://java62.com/load.php?MSIE

It uses the “ADODB.Stream” ActiveX object to save this file under the following name:

c:\sys.exe

rnd – four random Latin letters Example:
syskmtz.exe
syskqoq.exe

The downloaded file will then be launched for execution.

To protect your computer from Trojan-Downloader, you need to install Shield Deluxe and Security Shield.

• Sign up for PayPal and start accepting credit card payments instantly.
  As the world's number one online payment service, PayPal is the fastest way to open your doors to over 150 million member accounts worldwide.
• Promote your product to high quality, targeted websites and blogs.
  Find effective, influential blogs and highly targeted audiences to advertise.Choose to display your ad across entire blog networks to maximize your exposure to a wide audience.