For Home

Virus Profile: Generic Dropper.p

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/11/2005
Date Added: 10/11/2005
Origin: N/A
Length: varies
Type: Trojan
Subtype: Dropper
DAT Required: 6930
Removal Instructions
   
 
 
   

Description

Droppers are files which contain other binaries within their body. They act like a self-extracting ZIP file - taking the files stored inside and then installing them on the affected machine.

The types of files which are dropped by many droppers include other Trojans (such as Downloaders to download yet more files from the remote machine, BackDoors to allow the hacker remote access to the client machine as well as Dialers to change the dial-up settings of the client's Internet connection, normally to a premium rate number.

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

   

Virus Characteristics

-------Updated on 16 April, 2013-------

Generic Dropper.p” is detection for this Trojan that downloads other payloads. It also receives commands from an attacker to access the infected machine. Once the Trojan executes successfully it deletes itself. The dropped files are detected as Generic PWS.o

Upon execution the Trojan drop files in the location below: 

  • %WINDIR%\system32\ msaudit.dll [Detected as Generic PWS.o]

The below are the commands used to get hooked with other running process in order to hide its presence.

  • CallNextHookEx
  • SetWindowsHookExA

The below mentioned command is used to get the keyboard layout to capture the key events.

  • GetKeyState

The below mentioned command is used to get the system information from the infected machines.

  • GetNativeSystemInfo

 

--------------------------------------------------

-------Updated on 17 March, 2013-------

Aliases

  • Symantec           -    Trojan.Dropper
  • Nod32                -    Win32/TrojanProxy.Preshin.B trojan

Characteristics

Generic Dropper.p” is detection for this Trojan that drops other malicious files and opens a backdoor connection to the remote attacker in the compromised system.

Upon execution the Trojan tries to connect to the following IP

  • 26[Removed]8
  • 83[Removed]173
  • 88[Removed]173
  • 83[Removed]173
  • 22[Removed]156
  • 92[Removed]50
  • 173[Removed]120
  • 94[Removed]173
  • 120[Removed]173
  • 31[Removed]201
  • 159[Removed]192
  • 255[Removed]192
  •  In order to make a remote connection to the following URLs.
  • Http://173[Removed]88/images/icons/product/chrome-48.png
  • Http://173[Removed]88/images/mgyhp_sm.png
  • Http://173[Removed]88/images/srpr/nav_logo80.png
  • Http://173[Removed]88/images/srpr/logo1w.png
  • Http://173[Removed]88/xjs/_/js/hp/sb_he,pcc/rt=j/ver=kZzP7WLWDa8.en_US./d=1/sv=1/rs=AItRSTMrrcrCAA791p2QB-ap_BkElvsTOw
  • Http://173[Removed]120/gb/js/scm_3aa1524c2a04c6cf415293306987b7aa.js
  • Http://201[Removed]31/my/logon.php?0008c618ah8d6019000E7F623200MDAxMW1jYWZlZWxhYnBjMDAxMzE5Mi4xNjguMzAuMzkwMDA5V2luWFAveDg2MDAxMlZlcldpblZlcjYuMA==
  • Http://201[Removed]31/my/logon.php?0008c61bah8d6019000E7F623200MDAxMW1jYWZlZWxhYnBjMDAxMzE5Mi4xNjguMzAuMzkwMDA5V2luWFAveDg2MDAxMlZlcldpblZlcjYuMA==
  • Http://201[Removed]31/my/logon.php?0008c61eah8d6019000E7F623200MDAxMW1jYWZlZWxhYnBjMDAxMzE5Mi4xNjguMzAuMzkwMDA5V2luWFAveDg2MDAxMlZlcldpblZlcjYuMA==
  • Http://201[Removed]31/my/logon.php?0008c621ah8d6019000E7F623200MDAxMW1jYWZlZWxhYnBjMDAxMzE5Mi4xNjguMzAuMzkwMDA5V2luWFAveDg2MDAxMlZlcldpblZlcjYuMA==

Upon execution the following files have been added to the system.

  • %Temp%\losivp.tmp
  • %Appdata%\MovieMaker\mschelp.dll

The following folders have been added to the system.

  • %Allusersprofile%\MovieMaker
  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore
  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\8PQX5JFJ
  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\B7LKGMZK
  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\88HLHWPT
  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\OLSHULCW


The following registry values have been added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "%windir%\system32\ESENT.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "%windir%\system32\ESENT.dll"
  • HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "%windir%\system32\ESENT.dll"

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\Current Version\policies\Explorer\Run
  • The following registry key values ensure that the Trojan registers run entry with the compromised system and execute itself upon every boot.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\TactXCI:"rundll32.exe"%AppData%\MovieMaker\mschelp.dll" TactXCIHlp  137"


-------Updated on 26 Dec, 2012------------

Aliases


Microsoft  -    TrojanDownloader:Win32/Sadai.A
Drweb      -    Trojan.DownLoader6.44284
F-prot        -    W32/Heuristic-431!Eldorado
Sunbelt     -    Trojan.Win32.Generic.pak!cobra

Generic Dropper.p” is detection for a Trojan which download other malware to system. It also tries to clear internet cache. 

Upon execution the Trojan tries to connect the following IP Address in order to download other payloads though remote port 80.

  • Hxxp://163.32.[Removed].38/nextpoint.htm
  • files.pca[Removed]ere.net   
  • 163.32. [Removed].38   
  • 38.161. [Removed].163   

Upon execution the Trojan copies itself to the following location:

  • %AppData%\NextPoint_Group_Employee_Benefit_Plan_Changes.pdf
  • %AppData%\updater.exe


The following are the registry key values added to the system

  • HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0
  •  HKey_Local_Machine\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0

The above registry ensures that the Trojan disables to the proxy setting in order to download other payloads

  • HKey_Users\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\internet: "%AppData%\updater.exe"

The above registry ensures that the Trojan executes the payload in the compromised system upon every windows boot.

-------Updated on 8 Oct, 2012------------------

Aliases –

  • Ikarus  - Trojan-Dropper.Win32.Killav
  • Sunbelt - BehavesLike.Win32.Malware.bsf 
  • Trend Micro - TROJ_DROPPER.XAR

Generic Dropper.p” is detection for a Trojan which download other malware to system. It may also collect system information and send to the remote attacker. It may also kill the installed antivirus in the compromised machine.

Upon execution the Trojan tries to connect the following IP Address in order to download other payloads.

  •  pop3.d[Removed]k.ddns.us
  •  74.126.[Removed].154
  •  26.56.[Removed].8
  •  154.178.[Removed].74
  •  l[Removed]n.us
  •  do[Removed]k.ddns.us
  •  74.126.[Removed].99
  •  99.177.[Removed].74

Captured Data:

MCAFEELABPC,Administrator,Broadcom,ComPlus Applications,McAfee,Messenger,MSN,MSN Gaming Zone,Norton Ghost,Online Services,SDA,Symantec,Uninstall Information,WindowsUpdate,WinPcap,Wireshark,xerox,smss*winlogon*services*lsass*spoolsv*frameworkservice*vprosvc*symsnapservice*wscntfy*explorer*igfxtray*hkcmd*igfxpers*vprotray*udaterui*mctray*wireshark*procexp*regshot*dumpcap*tcpview*procmon*ctfemen*wscntfy*wscntfy*

The above packet data confirms that the Trojan collects system information and current running process and send to the remote attacker [74.126.[Removed].154].

Upon execution the Trojan drops the payloads in the following location:

  •  %Temp%\A.BAT
  •  %Temp%\ctfemen.exe
  •  %Temp%\follow_20121005181253_a00564
  •  %Temp%\lsrass.exe
  •  %Temp%\wscntfy.exe
  •  %UserProfile%\Start Menu\Programs\Startup\msinm.exe

The above file ensures that the Trojan executes the payload in the compromised system upon every reboot.

Below are the commands used by the remote attacker in order to collection system information from the compromised machine.

  •  GetComputerNameW
  •  GetUserNameW

These are the following Antivirus list that the Trojan may check and kill the process

  •  360SAFE.EXE
  •  AVG
  •  AVG
  •  AVGUI.EXE
  •  MCAFEE
  •  MCAFEE
  •  MCSHELL.EXE
  •  KASPERSKY
  •  KASPERSKY
  •  KASPERSKY LAB
  •  NORTON INTERNET SECURITY
  •  NAVW32.EXE
  •  NORTON
  •  NORTON
  •  UISTUB.EXE
  •  VMWAREUSER
  •  VMWARE
  •  VMWAREUSER.EXE
  •  CORESERVICESHELL.EXE
  •  COREFRAMEWORKHOST.EXE
  •  TREND
  •  TREND
  •  TREND MICRO

 -------Updated on April 20th, 2012-----------

Aliases

  • Avira         - TR/Dropper.Gen
  • Kaspersky - Trojan-Dropper.Win32.Agent.gpfp
  • Sophos      - Troj/Bdoor-BEA
  • Ikarus        - Trojan-Dropper

Generic Dropper.p is detection for this Trojan that drops other malicious files and opens a backdoor connection to the remote attacker in the compromised system.

Upon execution the Trojan drop the file “mdm.exe” which tries to connect to the following site using remote port 81

  • my.[Removed].org.uk

This Trojan may download malicious files from the above mentioned site and executes commands from the attacker.

When executed it drop the following file

  • %Appdata%\Microsoft\mdm.exe

The following registry value has been added

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    “Shell” = "Explorer.exe %Appdata%\Microsoft\mdm.exe"

----------------------------------------------------------------------------------------------------------

--------Updated on April 19, 2012------------

Aliases

  • Avira         - BDS/Spindest.A
  • Kaspersky - Trojan-Dropper.Win32.Agent.gpfp
  • Sophos      - Troj/Bdoor-BEA
  • Microsoft  - Backdoor:Win32/Spindest.A

Generic Dropper.p is detection for this Trojan that drops other malicious files and opens a backdoor connection to the remote attacker in the compromised system.

Upon execution the Trojan drop the file “mdm.exe” which tries to connect to the following site using remote port 81:

  • my.[Removed].org.uk

This Trojan may download malicious files from the above mentioned site and executes commands from the attacker.

When executed it drop the following files:

  • %Appdata%\Microsoft\mdm.exe

The following registry value has been added

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    “Shell” = "Explorer.exe %Appdata%\Microsoft\mdm.exe"

The above mentioned registry ensures that the Trojan registers itself with the compromised system and execute upon every reboot.

---------------------------------------------------------------------------------------------------------

------ Updated on Apr 10, 2012 ----

Aliases -
    • AVG - Dropper.Generic5.AVES
    • Ikarus - VirTool.MSIL
    • Kaspersky - Trojan-Dropper.Win32.Injector.czeq
    • Microsoft - VirTool:MSIL/Injector.BF

Upon execution, the Trojan drops a file into the below mentioned location and connects to the site blackshades.ru through remote port 8080 to perform further malicious activity.

    • %Temp%\plugtemp\svchost.exe

The Trojan creates the following files and deletes it from the system after some time.

    • %Temp%\plugtemp\mail.dat
    • %Temp%\plugtemp\chro.dat
    • %Temp%\plugtemp\ptsg.dat
    • %Temp%\plugtemp\iexp.dat
    • %Temp%\plugtemp\ffox.dat
    • %Temp%\plugtemp\opra.dat
    • %Temp%\plugtemp\dial.dat
    • %Temp%\plugtemp\mess.dat
    • %Temp%\plugtemp\offc.dat

The Trojan gathers the following information

    • GetComputerName
    • GetUserName
    • Windows version

The Trojan searches for the registry keys where third party applications store passwords and sends this information to the attacker by storing into the following file.

    • [SystemDrive]:\ProgramFiles\steam\steam.exe

The Trojan gathers the IMVU messenger credentials by reading the following registry keys

    • HKEY_CURRENT_USER\Software\IMVU\username\
    • HKEY_CURRENT_USER\Software\IMVU\password\

Also the Trojan uses the following functions and gathers passwords from the applications like FileZilla, Messenger, mail, dial, web browsers and Ms office etc.
    • PASSWORDS_MESS()
    • PASSWORDS_MAIL()
    • PASSWORDS_DIAL()
    • PASSWORDS_CHROv
    • PASSWORDS_IEXP()
    • PASSWORDS_FFOX()
    • PASSWORDS_PRODKEYv
    • PASSWORDS_CDKEY()
    • PASSWORDS_PTSG()
    • PASSWORDS_OFFC()

Note – [%SystemDrive% - C:\
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

------

---Updated on March 29, 2012------------

Aliases

  • Avira   - TR/Crypt.XDR.Gen
  • NOD32   - a variant of Win32/Packed.MoleboxVS.A
  • Kaspersky  - Trojan.Win32.Scar.dgvl
  • Microsoft  - Worm:Win32/Huanot.A

Generic dropper.p is detection for this Trojan that drops other Trojan files in the compromised system and executes it.

When executed the Trojan copies itself into the following location.

  • %Temp%\1.exe
  • %Temp%\06_Einkauf.exe
  • :[Remoable Drive]:\[Random_name].exe (name of the existing folder)

The Trojan copies itself with the existing folder names and it uses the windows "Folder Icon" as its icon. This is to trick users into opening it, effectively executing the Trojan.

The following registry value has been modified.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    "Userinit" = "%Windir%\system32\userinit.exe, %Temp%\06_Einkauf.exe"

The above registry entries confirm that, the Trojan registers with the compromised system and executes itself whenever windows start.

--------------------------------------------------------------------------------------------

--- Updated on 10-Dec-2011 ---

 

Aliases

    • BitDefender - Gen:Trojan.Heur.GC.cq0@ubbHiUeb1
    • F-secure - Gen:Trojan.Heur.GC.cq0@ubbHiUeb1
    • Norman - W32/Banker.R!genr
    • Symantec - Trojan.Dropper

Upon execution, the Trojan drops a malicious file into the below mentioned location
    • %WinDir%\system32\com32.dll [Detected as BackDoor-FDG]

The following registry values have been added to the system
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ netsvcs\Parameters\
      ServiceDll = "%WinDir%\system32\com32.dll "
    • HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\ netsvcs \
      ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"

The above registry entries confirm that, the Trojan register as a service with the system and executes every time when the service starts.

Note – [%WinDir% - C:\WINDOWS]

-------------------------------------------------------------------------------------------

 

--- Updated on 9-Aug-2011 ---

Once executed, this variant drops a copy of itself in the following path:

  • C:\MSCache.Bin\961328C16BB.exe

It will the execute this file, which will perform the other actions.

After that, it will inject malicious code in several running processes. Some proccesses that have been observed to be injected include:

  • svchost.exe
  • explorer.exe
  • services.exe
  • ctfmon.exe

The malware also change the following registry keys to lower the system security settings:

  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1: 0x00000001
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost: 00 00 00 00
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1409: 0x00000003
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406: 0x00000000
  • HKEY_CURRENT_USER\<USER_SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609: 0x00000000

These changes will disable any warning to the user that the connection have been redirected to a proxy, or that data is being sent without user interaction.

The malware then proceed to connect to the following urls

. POST hxxp:// uhfqds. com/dns/ home.php
. GET hxxps:// 91. 223. 82. 133/

The data on the POST request include information about the current user and the user's machine.

------- Updated on 13-Nov-2010 ---

File Information –

    • MD5 -37F7D9B656B60E9960F40C8F8E7C88ED
    • SHA1 - B6CCD46C49A1A618FDE16825BAD1456FF32C9EB3

When executed, spyware trojans run sliently in the background monitoring the victim's activity on the infected computer and record all or specific pre-defined data.

The Trojan gathers the following system information:

    • Computername
    • HomeDrive
    • Homepath
    • LOgonserver
    • Processeor_identifier
    • Processor_level
    • SystemDrive
    • Username
    • OS
    • Processor Architecture
    • User Domain

-------

-- Update July 12, 2010 --

Some variants have been received from field, which drop and execute following files:

  • %TEMP%\Jmj.exe
  • %TEMP%\Jmk.exe
  • %TEMP%\Jml.exe

Jmj.exe drops a DLL file (sshnas21.dll) in %SYSTEMROOT%\SYSTEM32 folder and register it as a service with displayname SSHNAS.

Jml.exe creates following two job files to launch Jgesoa.exe and Jml.exe:

  • {8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
  • {35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

To start itself on reboot it creates following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

                         JDK5SWFMZY = %TEMP%\Jml.exe

Jmk.exe drops a file Jgesoa.exe in %SYSTEMROOT% folder.

Finally, a batch file is created which deletes the original malware file.

Infected system is also observed to be connecting to following domains on TCP port 80:

  • best-arts-[removed].com
  • edrichfine[removed].com

-- Update March 4, 2009 --

Some variants have displayed the following characteristics.

The following data/value pairs have been added (class ID and value names may be random):

  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A} "(Default)" "kbdsgi"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "(Default)" "C:\WINDOWS\system32\kbdsgi.dIl"
  • HKEY_CLASSES_ROOT\CLSID\{CC22E8D6-3B73-077E-DD49-EA81789AB64A}\InprocServer32 "ThreadingModel" "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\kbdsgi "(Default)" "{CC22E8D6-3B73-077E-DD49-EA81789AB64A}"

The following files are added:

  • %WindDir%\system32\dsuiqxt.dat (filename may be random)
  • %WinDir%\system32\fldrcxnr.dat (filename may be random)
  • %WinDir%\system32\iologmrg.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dat (filename may be random)
  • %WinDir%\system32\kbdsgi.dIl (filename may be random)

(Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update May 13, 2008 --

Upon execution, a new variant of Generic Dropper.p trojans drops the following files:

  • %WinDir%\system32\deskaspi.dat (filename may be random)
  • %WinDir%\system32\rtmra.dat (filename may be random)
  • %WinDir%\system32\rtmra.dIl (filename may be random, identified as Generic Spy.e trojan)
  • %WinDir%\system32\winstf.dat (filename may be random)
  • %WinDir%\system32\wlnotiey.dat (filename may be random)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS, etc.)

-- Update November 7, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blog.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em.html?nav=rss_blog
--

The most recent variant of this threat arrived as the spam email messages.

Upon clicking the link, the following file is downloaded.

Upon runnng executable files, the following files are dropped:

  • %SystemDir%\GenuineLicence.exe 65,024 bytes (Generic Dropper.p trojan)
  • %SystemDir%\kbd.dll 5,632 bytes (Generic Keylogger trojan)
  • %SystemDir%\test.dll 31,744 bytes (Generic BackDoor.u trojan)

The trojan modifies the following registry key.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "service" =  %SystemDir%\GenuineLicence.exe

 

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).