Virus Profile: Downloader-DI

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 7/16/2003
Date Added: 7/16/2003
Origin: Unknown
Length: 5,664 bytes
(2,720 bytes damaged)
Type: Trojan
Subtype: Spam
DAT Required: 4277
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Desktop firewall program alerting that a foreign application is attempting to access the Internet.

Methods of Infection

Trojans do not self-replicate and require manual intervention in order to "spread". This trojan may be received in a SPAM email message as described above. User is infected upon executing the attachment

Aliases

Downloader-DI.dam, Troj/Antikl-Dam (Sophos), Trojan.Download.Berbew (NAV), TrojanProxy.Win32.Webber (Kaspersky)
   

Virus Characteristics

-- UpdateApril 6, 2004 --
Another mass seeding of this trojan has recently occured.  Detection requires the 4349 DAT files. The details of the email message sent is as follows:

From: "Brian Spencer" security@fdic.com
Subject: fraud report
Attachment: www.fdic.com.fraud.security.pif.zip
Body:

Dear Sir!

We are sorry to report that your bank account has been temporarily closed cause of explicit fraud activity. We are about to report to the police about this incident and they.ll carefully investigate this matter. If you.ll be found guilty, your can be charged up to $57,183. You can find all the details about this incident in the attached file and if you still have any questions until the police start investigation, please contact us as soon as possible. Sir, fraud activity is prohibited by the US legislation and you must note down that from now on your every step is being carefully traced down. So if you don.t want any other incidents to take place, wait for the end of this investigation or contact us. You can find our email and phone number in the attached file(password - MarH3Jl4).

Faithfully yours, Brian Spencer (Chief Manager)

-- Update December 30, 2003 --
AVERT has received damaged (truncated) copies of this trojan that have been spammed out. Detection for these files as Downloader-DI.dam will be included in the 4313 DAT files. Please note that these files are damaged and cannot run. The email messages should be deleted.

Details of the spammed message are included below . The following subject line and attachment name can be used for blocking such messages:

Subject: security notification
Attachment: antikeylog2004.exe (2,720 bytes)

--

Intentions of Trojan

Multiple versions of this trojan exist. They are known to have been spammed out to users by email. Users are recommended to use the latest engine/DATs for optimal detection.

When run, it connects to the hacker's site to download a remote file. This remote file is a backdoor trojan, detected as BackDoor-AXJ .

Spam Messages

Spammed email messages with various characteristics have been reported. For example:

From: Account Manager
Subject: Re: Your credit application
Attachment: www.citybankhomeloan.htm.pif

Dear Sir!

Thank you for your online application for a Home Equity Loan.
In order to be approved for any loan application we pull your
Credit Profile and Chexsystems information, which didn't satisfy
our minimum needs. Consequently, we regret to say that we cannot
approve you for Home Equity Loan at this time.

*Attached are copy of your Credit Profile and Your Application that
you submitted with us. Please take a close look at it, you will receive
hard copy by mail withing next few days.

From: Wells Fargo Accounting
To: username
Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489
Attachment: wellsfargo.biz.jsessionid=5QWBU8TLSM01.pif 

Dear Sir,

Thank you for your online application for a Business Account with Wells Fargo. We appreciate your interest in banking with us.

In order to open a Business Account, we must receive specific credit information that is verifiable. Because Wells Fargo has no locations in your state, we are unable to confirm the credit information in your application. Consequently, we regret to say that we cannot open an account for your business at this time.

Attached are your Wells Fargo Application and your Social Security File.

Sincerely,

Sherli Chin
Business Resource Center Services
Wells Fargo Bank

From: Citibank Accounting
To: username
Subject: Re: Your credit application
Attachment: web.da.us.citi.heloc.pif 

Dear sir,

Thank you for your online application for a Citibank Home Equity Loan.
In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn't satisfy our minimum needs.
Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.

*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.

From: E-Loan Consumer Department
To: username
Subject: Re: Your E-Loan Refinance Application Declined
Attachment: E-Loan-Appraiser-Results.pif 

Dear sir,

Thank you for your recent online Refinance Application with E-Loan Inc.
Apparently you have moved from your current home address a couple of months ago, so we coulnd't verify your identity with Credit Bureaus and Chexsystems.
We are sorry for any inconvenience.

Attached are scanned copies of your Home Value, Grant Deeds and your current Credit Profile from 3 major Credit Bureaus. Take a close look at it, as you will receive hard copies by usps mail in few days.

The recent spamming (Dec 31st 2003, bearing the corrupt attachment) uses messages constructed as follows:

From: Admin@(insert name of bank).com
To: username
Subject: security notification
Attachment: antikeylog2004.exe (2.72KB)

Dear customer,

The security of your personal and account information is extremely important to us. By practicing good security habits, you can help us ensure that your private information is protected.
Please install our special software, that will remove all the keyloggers and backdoors from your computer.

And will help us to prevent credit card fraud in future.

Thank you.

Best Regards,

(insert name of bank)

   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95