For Home

Virus Profile: Downloader-BKU

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/22/2008
Date Added: 10/22/2008
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Downloader
DAT Required: 5412
Removal Instructions
   
 
 
   

Description

This downloader has been observed to be bundled with a legitimate software installer. Downloaders are designed to pull files from a remote website and execute the files that have been downloaded.

Indication of Infection

A DLL named "Applocale.dll" is dropped into %SystemDir%, as well as a copy of the legitimate installer. Applocale.dll is also injected into an svchost.exe process whether or not the installation is completed.

Methods of Infection

Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

   

Virus Characteristics

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

This trojan has been bundled with a legitimate application. On execution, a malicious DLL file is dropped in the background. Following this the legitimate application is loaded. Thus installation of the malicious DLL takes place under false pretext. The dropped DLL is loaded with svchost.exe, which then attempts to download additional files.

On execution, the following files are created:

  • %SystemDir%\Applocale.dll
  • %SystemDir%\shells32.ini
  • %SystemDir%\SkypeClient.exe

It also creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Applocale
    • DisplayName = Microsoft AppLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Applocale\Parameters
    • ServiceDll = %SystemDir%\Applocale.dll

Network communication to the following domains were observed:

  • 9liuliang.cn
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).