Trojan.Downloader.3069.A
| Alert Level : | medium |
| Discovered: | 2005Jul04 |
| Tag: | Trojan Downloader |
| Discoverer and Source: | http://www.bitdefender.com/ |
Malware Behavior and Technical Description
Presence of the following entries in the registry :
- HKCR\retro64_loader.R64Loader
- HKCR\retro64_loader.R64Loader.1
- HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
- HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
- HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}
For registry key HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}, the subkey InProcServer32\(Default) will be set to the full path to the trojan.
For example, one can have
HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}\InProcServer32\(Default) = %Windir%\System32\aaa.dll
where aaa.dll is the Trojan.Downloader.3069.A
NOTE :
- by HKCR we mean HKEY_CLASSES_ROOT
- the entries above can be searched for using regedit utility (open Start->Run, type regedit).
Trojan.Downloader.3069.A is an adware related DLL. To install on the victim computer, it must be called from another application (such as adware). When called for the first time, it registers itself as a COM object by creating the following registry entries :
- HKCR\retro64_loader.R64Loader.1
- HKCR\retro64_loader.R64Loader
- HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
- HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
- HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}
Trojan.Downloader.3069.A can download (on behalf of the application calling it) files from specific URLs via HTTP on port 80. After the file is downloaded, it
Removal Trojan.Downloader.3069.A instructions:
Please boot your machine in Safe Mode and perform the following
1. Check the following registry entry (by using regedit or any registry editing utility) :
- HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}\InProcServer32\(Default)
Need help? Live computer support via remote at SupportSpace |
