For Home

Virus Profile: Downloader-CJX

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/10/2010
Date Added: 7/10/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Downloader
DAT Required: 6040
Removal Instructions
   
 
 
   

Description

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victim’s machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.

 

Indication of Infection

  • Presence of files and registry entries mentioned
  • Unpexpected connections to the above mentioned Domains
  • Presence of the following autorun.inf file on the root of removable and fixed drives:

Methods of Infection

This malware spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

This malware may also be recieved under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

 

Aliases

TR/Dldr.Gaat.B [Avira], W32.Changeup [Symantec], W32/Autorun-BFG [Sophos], Win32/AutoRun.VB.RD [Nod32], Worm.Win32.VBNA [Ikarus], Worm.Win32.VBNA.aitt [Kaspersky], Worm:Win32/Vobfus.R [Microsoft]
   

Virus Characteristics

When executecd, this malware creates the following files:

Note:

  • The MD5 of the malware dropped in the above location keeps changing eveytime the malware is executed
  • %UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP)

The malware also drops copies of itself in any inserted usb disk, along with several .lnk files pointing to this executable. Existing folders are randomly selected and made hidden, with .lnk files created with folder icons to mimick existing folders.

The malware then creates the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
    Data: "mbvoj.exe" = "%userprofile%\mbvoj.exe"

The above registry entry ensures that the malware executes on Windows Startup.

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 
    Data: "ShowSuperHidden" = 00, 00, 00, 00

The above registry entry ensures that the hidden files and folders and not displayed in Windows Explorer.

The malware attempts to connect to the following URLs to download additional malware:

  • ns1.thepicture[removed].net
  • bert[removed].com
   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.