Troj/Dloader-BO (variant)

Aliases
TrojanDownloader.Win32.Inor, Downloader-BO, W32/Maz.A, Tr/Mastaz, Maz, Mastaz, W32/Maz.B

Sophos has received several reports of this Trojan from the wild.

Note: Sophos has been detecting Troj/Dloader-BO since 13:19 GMT on 12 November 2002, but has issued this new IDE to include detection of a slight variant


Description
Troj/Dloader-BO downloads and executes a file from the website
masteraz.hypermart.net within 3 days of being run for the first time. At the time of writing Sophos has seen examples of two downloaded files, detected as Troj/Bdoor-Aml and Troj/Keylog-I but, of course, the file could be changed.

Troj/Dloader-BO has been seen in the files MASTERAZ.EXE, JIMKRE.EXE and messages.hta.

The Trojan adds the following entry to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
.inr\5Nzg1mOWKzFnuvu6 = "C:\<path to Trojan>".

This will run the Trojan on system restart.

The Trojan also creates the following entry within the registry:

HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6.



Recovery
Please read the instructions for removing Trojans.
Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry keys. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
.inr\5Nzg1mOWKzFnuvu6 = "C:\<path to Trojan>"

HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6

and delete them if they exist.

Close the registry editor.

source: http://www.sophos.com


Technodrome