For Home

Virus Profile: Generic Downloader.g

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/31/2005
Date Added: 10/6/2004
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 4397
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Nod32  - Win32/Spy.Zbot.AAO trojan
  • Symantec - Trojan.Gen
  • Microsoft - PWS:Win32/Zbot
  • Norman  - W32/ZBot.BJKJ (trojan)
  • Avira  - TR/Spy.ZBot.EB.107

Indication of Infection

    • Presence of above mentioned files and registry keys.
    • Presence of above mentioned activities.
    • It connects to the the following sites and downloads malicious files
      • [removed]eaarc.com/down/update10h.rar
      • [removed]eaard.com/down/hou.rar
      • [removed]eaarb.com/down/hou.rar

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
   

Virus Characteristics

-------- Updated on December 4th 2012---------

Aliases

  • Symantec    -    Backdoor.Wakeminap
  • Norman    -    W32/Agent.AKWQN (trojan)
  • Kaspersky    -    Trojan-Downloader.Win32.Agent.wlzn
  • Fortinet    -    W32/Agent.WLZN!tr.dldr

Generic Downloader.g” is detection for this Trojan that downloads other payloads.

Upon execution the Trojan drops files in the following location

%Temp%\POWER_GEN_2012.pdf
%Temp%\em.exe

Upon execution it tries to connect to the below URL through remote port http

  • http://63.73.[Removed].7/scripts/images/device_input.asp?device_t=2349438461&key=vrnnprjd&device_id=em&cv=vrnnprjdecejxvlub (application/x-www-form-urlencoded)
  • http://63.73. [Removed].7/scripts/images/record.asp?device_t=8533569937&key=rgsawyrs&device_id=em&cv=rgsawyrsdowrskfgx&result=%0D%0ATime%3A%09Tue%20Dec%2004%2015%3A32%3A19%202012%0AAgent%3A%09Mozilla%2F4.0%20(compatible%3B%20MSIE%207.0%3B%20Win32%3B%20Microsoft%20Windows%20XP%20Professional%20Service%20Pack%203%20(build%202600))%0D%0Aurl%20OK%21%0D%0Apickup%20command%20Ok%21%0D%0AMon%20Nov%2026%2008%3A29%3A26%202012%3B%20%09sleep%2024%0D%0Asleep%2024%09wakeup%3DWed%20Dec%2005%2015%3A32%3A22%202012%0A%0D%0ANext%3AWed%20Dec%2005%2015%3A32%3A22%202012%0Adelay%3A3600%20sec%0D%0A%0D%0A
  • http://63.73. [Removed].7/scripts/images/device_em.asp?device_t=4827883592&key=ijukawom&device_id=em&cv=ijukawomoqypvvfzl
  • www.helios[Removed]ners.com   
  • 7.11. [Removed].63


-------- Updated on September 17, 2012--------

“Generic Downloader.g” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other malicious files. The Trojan creates a firewall rule in order to bypass and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge. Also it may steal compromised computers’ personal and confidential information from the following

  • Outlook Express passwords
  • Digital certificates
  • Internet Explorer cookies
  • Cached passwords

Upon execution the Trojan gets injected with explorer.exe and drop files in the below location

  • %Appdata%Microsoft\Address Book\Administrator.wab
  • %Appdata%Microsoft\Address Book\Administrator.wab~
  • %Appdata%/Aqozba\toynt.exe
  • %Appdata%/Dozyz\heact.adb
  • %Appdata%/Nozi\uwebi.tmp

Upon execution it tries to connect to the below URL through remote port http

  • sg.[Removed].real.com
  • sp[Removed]d.su
  • c[Removed]to.su
  • r[Removed]ks.su
  • e[Removed]alt.pl
  • r[Removed]rain.pl

Captured POST request:

  • POST /sopelka3/file.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: c[Removed]to.su
    Content-Length: 131
    Connection: Keep-Alive
    Cache-Control: no-cache
  • POST /dedun23/file.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: e[Removed]alt.pl
    Content-Length: 128
    Connection: Keep-Alive
    Cache-Control: no-cache
  • POST /dedun23/gate.php HTTP/1.1
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: re[Removed]ain.pl
    Content-Length: 341
    Connection: Keep-Alive
    Cache-Control: no-cache

The following registry keys have been added to the system

  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Explorer\Privacy
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Liotfu
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\WAB

The following registry values has been added to the system

  • HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe: "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"

The above registry ensures that the Trojan creates a firewall rule to bypass the normal authentication and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge.

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Vubavetie: ""%Appdata%Aqozba\toynt.exe""

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Explorer\Privacy\CleanCookies: 0x00000000

The above registry ensures that the Trojan prevents the removal of expired Internet Explorer browser cookies

The below registry key value confirms that the Trojan configures the LDAP server in order to steal confidential information.

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\

  • LDAP Server ID: 0x00000003
  • Account Name: "WhoWhere Internet Directory Service"
  • LDAP Server: "ldap.whowhere.com"
  • LDAP URL: http://www.whowhere.com
  • LDAP Search Return: 0x00000064
  • LDAP Timeout: 0x0000003C
  • LDAP Authentication: 0x00000000
  • LDAP Simple Search: 0x00000001
  • LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\

  • LDAP Server ID: 0x00000002
  • Account Name: "VeriSign Internet Directory Service"
  • LDAP Server: "directory.verisign.com"
  • LDAP URL: http://www.verisign.com
  • LDAP Search Return: 0x00000064
  • LDAP Timeout: 0x0000003C
  • LDAP Authentication: 0x00000000
  • LDAP Search Base: "NULL"
  • LDAP Simple Search: 0x00000001
  • LDAP Logo: "%ProgramFiles%\Common Files\Services\verisign.bmp"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\

  • LDAP Server ID: 0x00000001
  • Account Name: "Bigfoot Internet Directory Service"
  • LDAP Server: "ldap.bigfoot.com"
  • LDAP URL: http://www.bigfoot.com
  • LDAP Search Return: 0x00000064
  • LDAP Timeout: 0x0000003C
  • LDAP Authentication: 0x00000000
  • LDAP Simple Search: 0x00000001
  • LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\

  • LDAP Server ID: 0x00000000
  • Account Name: "Active Directory"
  • LDAP Server: "NULL"
  • LDAP Search Return: 0x00000064
  • LDAP Timeout: 0x0000003C
  • LDAP Authentication: 0x00000002
  • LDAP Simple Search: 0x00000000
  • LDAP Bind DN: 0x00000000
  • LDAP Port: 0x00000CC4
  • LDAP Resolve Flag: 0x00000001
  • LDAP Secure Connection: 0x00000000
  • LDAP User Name: "NULL"
  • LDAP Search Base: "NULL"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\Accounts\

  • PreConfigVer: 0x00000004
  • PreConfigVerNTDS: 0x00000001
  • ConnectionSettingsMigrated: 0x00000001
  • AssociatedID: EB 47 C0 B3 BA 48 A2 40 AE 96 42 B4 9A 3E 4D 9B

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Account Manager\

  • Server ID: 0x00000004
  • Default LDAP Account: "Active Directory GC"

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\WAB\WAB4\

  • Wab File Name\: "%Appdata%Microsoft\Address Book\Administrator.wab"
  • OlkContactRefresh: 0x00000000
  • OlkFolderRefresh: 0x00000000
  • FirstRun: 0x00000001

HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Liotfu\Hogag: B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE 68 F7 28 37 67 77 E5 D5 79 65 3B 00 9C CD 6A CF B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE 1D F6 AD 49 D8 C6 E4 E2 A4 9F F5 01 58 F3 EC FD B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE B7 B5 8F E1 1D A8 AA 8C 12 C8 8C 2F AA 9F 50 EE

HKEY_USERS\S-1-5[Varies]\Identities\{B3C047EB-48BA-40A2-AE96-42B49A3E4D9B}\Software\Microsoft\Outlook Express\5.0\

  • SpellDontIgnoreDBCS: 0x00000001
  • MSIMN: 0x00000001
  • StoreMigratedV5: 0x00000001
  • ConvertedToDBX: 0x00000001
  • Settings Upgraded: 0x00000007
  • Running: 0x00000000
  • Store Root: "%UserProfile%\Local Settings\Application Data\Identities\{B3C047EB-48BA-40A2-AE96-42B49A3E4D9B
  • \Microsoft\Outlook Express\"
  • SpoolerDlgPos: 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF B5 01 00 00 58 00 00 00 9D
  • 03 00 00 F2 00 00 00
  • SpoolerTack: 0x00000000
  • Compact Check Count: 0x00000001

HKEY_USERS\S-1-5[Varies]\Identities\{B3C047EB-48BA-40A2-AE96-42B49A3E4D9B}\Software\Microsoft\Outlook Express\5.0\Mail\

  • Welcome Message: 0x00000000
  • Accounts Checked: 00 00 00 00
  • Safe Attachments: 0x00000001
  • Secure Safe Attachments: 0x00000001
  • Default_CodePage: 0x00006FAF

The following registry values have been modified in the System

  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled: 0x00000002
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled: 0x00000000

The above registry ensures that the Trojan disables the phishing filter

  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000001
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000001
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000001
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000003
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000001
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000003
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000001
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000003
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000001
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000

The above registry key confirms that the Trojan lowers the Internet Account Settings

 -------- Updated on July 06, 2011 -----

File Information –

    • MD5   - 66dd484101d59d1c9a37b5ce4a8add49
    • SHA1  - 88689f322613c605e1abe9d30f4431b34c3e4825

Aliases –
    • Ikarus - Worm.Win32.VBNA
    • NOD32 - a variant of Win32/Injector.BXQ
    • Sunbelt - Trojan.Win32.Generic!BT

"Generic Downloader.g" is a trojan detection which downloads files from the site remote site.

Upon execution, the Trojan copies itself into the following location.

    • %AppData%\SoundCheck.exe

Also it creates a browser instance and connects to the remote site. And it drops a file into the following location.
    • %Temp%\BvTQSi.html

The following registry keys have been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{IoG2jEwQ-XmgM-1C76-nj6f-uMd4Vcy1us5E}
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Active Setup\Installed Components\{IoG2jEwQ-XmgM-1C76-nj6f-uMd4Vcy1us5E}
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Visual Basic
      HKEY_USERS\S-1-[varies]\Software\Microsoft\Visual Basic\6.0

The following registry values have been added
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{IoG2jEwQ-XmgM-1C76-nj6f-uMd4Vcy1us5E}\
      StubPath = "%AppData%\SoundCheck.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      Drivers = "%AppData%\SoundCheck.exe"
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Active Setup\Installed Components\{IoG2jEwQ-XmgM-1C76-nj6f-uMd4Vcy1us5E}\
      StubPath = "%AppData%\SoundCheck.exe"
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      Drivers = "%AppData%\SoundCheck.exe"

The above registry entries confirm that, the Trojan executes everytime when windows start.

Note – [ %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp,
%AppData% - C:\Documents and Settings\[UserName]\Application Data]
-----

------------ Updated on 22-Sep-2010 --------------

File Information –

MD5 - 05f964429ecfe93cfee5f03a4ab92f5b
SHA1 - 8c801922f21423f7062fd638cea0072e6c23d5dc

Aliases –

Kaspersky  - Trojan-Downloader.Win32.Agent.fdt
Microsoft - TrojanDownloader:Win32/Agent.ZAL
NOD32 - Win32/Mefir.AA
Symantec – Downloader

Characteristics -

"Generic Downloader.g" is a trojan detection which downloads files from the site "korea[removed].com" and executes on the user machine.

Upon execution, the Trojan copies itself into the following locations
    • %Windir%\system32\notepod.exe

And drops the following files

    • %Windir%\system32\odbcwyp32.dll [Detected as Generic.Downloader.g]
    • %Windir%\system32\disk.ico
    • %Windir%\config\systemprofile\Cookies\system@koreaard[1].txt
    • %Windir%\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\hou[1].htm

The following registry keys have been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell\open
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell\open\command
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Enum

The following registry values have been added

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepod.exe\shell\open\command]
        = ""%Windir%\system32%\notepod.exe" "%1""

The above registry entry confirms that, the Trojan changes the file  notepad.exe into notepod.exe.
When ever user tries to open any notepad application, the trojan will executes immediately.

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RSVP\0000\Control]
       NewlyCreated = 0x00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RSVP\0000]
       Service = "RSVP"
       Legacy = 0x00000001
       ConfigFlags = 0x00000000
       Class = "LegacyDriver"
       ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
       DeviceDesc = "QoS RSVP"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RSVP]
        NextInstance = 0x00000001
    • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        ProxyEnable = 0x00000000

The following registry Values have been modified

    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent\]
       = 0x0000000D
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\]
      Start = 0x00000002
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\]
      ErrorControl = 0x00000000

The following file has been modified

    • %Windir%\system32\rsvp.exe

The following folders have been added
    • %Windir%\Web\webdc
    • %Windir%\Web\webhp
    • %Windir%\Web\webpf
    • %Windir%\Web\webpt
    • %Windir%\Web\webxs

[Note : %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]

-------------------

For further information, please refer to the Generic Downloader description.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).