My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Downloader.6588.E

HIGH
LOW
variable
(AdWare.Win32.Stud.A, Win32/Adware.BHO.AA, WebPrefix.A, Trojan.Downloader.CGU, W32/Downloader.MNI)

Symptoms

Presence of the following registry keys:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WebPrefix
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Offline Folder = "%SOME_GUID%"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\[%SOME_GUID%]
  • HKEY_CLASSES_ROOT\CLSID\[%SOME_GUID%]
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[%SOME_GUID%]

Note: %SOME_GUID% is a randomly generated GUID such as 78990BAC-78C6-411B-B2A5-81B37DB9D512.

Removal instructions:

Close all your Internet Explorer windows and scan your computer. Delete all the infected files. Then, restart your computer and rescan the %SYSTEM% folder. If the virus has been recopied there, reboot in safe mode and rescan the %SYSTEM% folder.

Analyzed By

Marius Botis, virus researcher

Technical Description:

This malware is a Browser Helper Object (BHO) which:

  • Is located in %SYSTEM%\%SOME_NAME%.dll (eg. nvrspl32.dll, swprv32.dll, mprddm32.dll, ulib32.dll, dmintf32.dll, netos32.dll, ruipxmib.dll, etc)
  • Connects to http://axload.to/..., sending information about the computer, such as the version of the Operation System and Service Pack version.
  • Downloads encrypted components/updates from that website, decrypts the data and injects it into explorer.exe and then executes it (typically, the resulted data is an executable file packed with UPX, having the size 35Kbytes).
  • Displays commercial advertisements and redirects the web browser to various porn sites.
  • Changes the Startpage of Internet Explorer to various sites.
Note: %SYSTEM% is usually C:\WINDOWS\SYSTEM32 (WinXP), C:\WINNT\SYSTEM32 (Win2000, NT) or C:\WINDOWS\SYSTEM (Win9x).