ViRobot
Home HOME > Security Info

Security Info

Threats DB

Dropper.S.Downloader.233984

Aliases  
Typical Symptoms  Changes registry,,Installing Trojan Horse,Creates file
Discovered  [korea] 0000-00-00
 [Foreign] 0000-00-00
Type  Trojan Horse ActiveField  Win32
Destory/Distribution
Origin  others Encryption  NO
Location  File Memory residence  NO
Scan engine needed
2010-07-23 [Able to detect & repair]
  • Free scan
  • Free trial download
Description

[Symptom of Infection]

1. It is a malicious code that is related to me2DAY online service, and it spreads out with other applications such as Internet TV program.

2. It spreads out by me2DAY and twitter services.

http://twitter.com/adrxxxxxx_82

http://me2day.net/adrxxxxxx_82


[PIC 1] me2DAY


[PIC 2] Twitter

3. It downloads malicious codes from below sites.

http://11x.1xx.15x.x47/upload/atk.exe

http://11x.1xx.15x.x47/upload/fm.exe

http://11x.1xx.15x.x47/upload/prvupdtcln.exe


4. The malicious code creates csupdt.dll file to system folder, and the file pretends to be a Microsoft Windows Update file.

5. The csupdt.dll is injected to svchost process, and it downloads malicious codes by period.


6. It is registered to below services.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinNetMng]

"Type"=dword:00000010

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\

  5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,\

  00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,63,00,73,00,00,00

"DisplayName"="Windows Net Manager"

"ObjectName"="LocalSystem"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinNetMng\Parameters]

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\

  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

  63,00,73,00,75,00,70,00,64,00,74,00,2e,00,64,00,6c,00,6c,00,00,00

7. The detection names which are related to me2DAY are like below:

Trojan.Win32.Malex.184320

Trojan.Win32.S.Agent.100864

Trojan.Win32.S.Agent.101376

Trojan.Win32.S.Agent.494080

Worm.Win32.P2P-Palevo.D.Gen
Removal Instructions

[How to repair]

 

1. If you are WinXP/ME users, please be inactivate System Recovery Function.

The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)

     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.


a. Run your ViRobot, and choose "all files" in scan option.

- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.
List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap