Troj/Dloader-BO (variant)

Discussion in 'malware problems & news' started by Technodrome, Jan 23, 2003.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Aliases
    TrojanDownloader.Win32.Inor, Downloader-BO, W32/Maz.A, Tr/Mastaz, Maz, Mastaz, W32/Maz.B

    Sophos has received several reports of this Trojan from the wild.

    Note: Sophos has been detecting Troj/Dloader-BO since 13:19 GMT on 12 November 2002, but has issued this new IDE to include detection of a slight variant


    Description
    Troj/Dloader-BO downloads and executes a file from the website
    masteraz.hypermart.net within 3 days of being run for the first time. At the time of writing Sophos has seen examples of two downloaded files, detected as Troj/Bdoor-Aml and Troj/Keylog-I but, of course, the file could be changed.

    Troj/Dloader-BO has been seen in the files MASTERAZ.EXE, JIMKRE.EXE and messages.hta.

    The Trojan adds the following entry to the registry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    .inr\5Nzg1mOWKzFnuvu6 = "C:\<path to Trojan>".

    This will run the Trojan on system restart.

    The Trojan also creates the following entry within the registry:

    HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6.



    Recovery
    Please read the instructions for removing Trojans.
    Windows NT/2000/XP

    In Windows NT/2000/XP you will also need to edit the following registry keys. The removal of this key is optional in Windows 95/98/Me.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    .inr\5Nzg1mOWKzFnuvu6 = "C:\<path to Trojan>"

    HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6

    and delete them if they exist.

    Close the registry editor.

    source: http://www.sophos.com


    Technodrome
     
Thread Status:
Not open for further replies.