TR/Dldr.EbayBill.G.1 - Trojan

See also

Full description

Virus:	TR/Dldr.EbayBill.G.1
Date discovered:	22/08/2006
Type:	Trojan
Subtype:	Downloader
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	5.637 Bytes
MD5 checksum:	f2e29b0e7be76aeaded42f766ec5da10
VDF version:	6.35.01.125
IVDF version:	6.35.01.128

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-Downloader.Win32.Small.dog
   • TrendMicro: TSPY_BZUB.AE
   • F-Secure: Trojan-Downloader.Win32.Small.dog
   • Sophos: Troj/DwnLdr-FDR
   • Eset: Win32/TrojanDownloader.Agent.NGQ

Platforms / OS:
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Registry modification
   • Third party control

Files It copies itself to the following location:
   • %SYSDIR%\%existing file or directory%%letter%.exe

It tries to download a file:

– The locations are the following:
   • http://spbfp.atlant.ru/sys/**********
   • http://dreadwolf.net/**********
   • http://docslv.com/gallery/bridge/**********
   • http://81.95.147.138/**********
   • http://soloaguia.com/imagens/**********
   • http://spbfp.atlant.ru/sys/sys/**********
   • http://dynafilmes.com.br/imagens/3/**********
   • http://leads4sales.co.uk/images/main/**********
   • http://jobundfit.de/images/**********
   • http://feldvossundpartner.de/images/**********
   • http://mkpicture.de/images/**********
   • http://trendbusiness-at-home.de/images/**********
This file may contain further download locations and might serve as source for new threats.

Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Ole]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

– [HKCU\Software\Microsoft\OLE]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

– [HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
   • ":=7<$ 72'6S"="%SYSDIR%\%existing file or directory%%letter%.exe"

Injection – It injects itself into a process.

Process name:
• %SYSDIR%\svchost.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG

See a brief description here.

Inserted by Andrei Ivanes on Wed, 23 Aug 2006 08:36 (GMT+1)
Updated by Andrei Ivanes on Tue, 05 Sep 2006 16:18 (GMT+1)

« Back

TR/Dldr.EbayBill.G.1 - Trojan

Security News