MultiDropper-GP.dr

Date Discovered: 2/9/2004
Date Added: 2/17/2004
Origin: Unknown
Length: 19,295 bytes
12,797 bytes
Type: Trojan

Virus Characteristics

This is trojan simply installs other trojans. It was being installed via an Internet Explorer exploit. Unsuspecting users who navigated to a specified website using a vulnerable web browser would become infected.

At the time of this writing the website in question is no longer responding.

Upon visiting the infectious web page, the Exploit-MhtRedir trojan would download and access a Microsoft Compiled Help file (CHM.CHM). Within this CHM file exists an HTML document LAUNCH.HTML, which contains the Exploit-CodeBase trojan to run the file MSTASK.EXE, which is the MultiDropper-GP.a trojan .



Indications of Infection

Presence of the following files:

%WinDir%\msto32.dll (3,072 bytes) - KeyHook.dll application
%WinDir%\svchost.exe (12,288 bytes) - Spy-Tofger trojan
%WinDir%\sysini.ini
%WinDir%\Downloaded Program Files\mstasks.exe (25,852 bytes) - MultiDropper-GP.a trojan
%SysDir%\mstu.exe (6,656 bytes) - ProcKill-BM trojan
%SysDir%\wingua.exe (4,608 bytes) - MultiDropper-GP.b trojan
Where %WinDir% is the Windows directory (c:\windows c:\winnt etc) and %SysDir% is the System directory (c:\windows\system32 c:\windows\system etc)



Method of Infection

This trojan is installed via an Internet Explorer vulnerability when visiting an infectious website.



Aliases

PHP_BIZAI.A (Trend)
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101031