Malware type: Trojan

Aliases: Trojan-Downloader.Win32.VB.akr (Kaspersky), Generic Downloader.ab (McAfee), Downloader (Symantec), TR/Dldr.VB.akr.5 (Avira), Troj/Dloadr-ATQ (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan arrives as a downloaded file by another malware, which Trend Micro detects as TROJ_SMALL.GHI.

Upon execution, it retrieves a target system's time zone and keyboard layout settings, presumably to detemine if the system is located in Estonia, Lithunia, or Latvia. If the system conforms to specific qualifications related to the mentioned settings, this Trojan removes itself and exits. This routine suggests that this Trojan's author/s hails from said locations and is avoiding infecting machines located in those countries.

If the system does not possess the conditions it is looking for, it connects to the URL, 69.41.{BLOCKED}.44/bin/ieschedule.exe, to download and execute a file detected by Trend Micro as TSPY_STERS.AT. As a result, routines of the downloaded spyware are exhibited on the affected system.

It modifies the registry, terminates two services, and deletes a certain file to weaken security and prime the affected system for more malware infections.

After executing its downloaded file and performing the other mentioned actions, it removes itself from the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 19, 2007 7:18:57 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.