Anti-Virus Leader ViRobot

Trojan.Win32.Downloader.61952.CU

Aliases
Typical Symptoms	Attacks network,Decreases network speed,Changes registry,Security threats,Place malicious code,Downloading a particular file,Creates file
Discovered	[korea] 0000-00-00 [Foreign] 0000-00-00
Type	Worm	ActiveField	Win32
Destory/Distribution
Origin	others	Encryption	NO
Location	Macro	Memory residence	NO
Scan engine needed	2009-9-1 [Able to detect & repair]

A. Route of Infection

Trojan.Win32.Downloader.61952.CU is downloadded from hacked site or other malicious codes such as Spy/Adware, Dropper, and etc.

B. Symptom of Infection

1) Once Trojan.Win32.Downloader.61952.CU is executed, it terminates all monitoring tools like process, network, and registry by Anti-debugging function.

2) Trojan.Win32.Downloader.61952.CU creates the following files.

            C:\win.com (Trojan.Win32.Downloader.61952.CU )
            C:\autorun.inf ( INF.S.Autorun.133 )
            (System Folder)\winrsc.exe (Copy itself)
            (System Folder)\drivers\sysdrv32.sys ( Trojan.Win32.RT-Agent.11656 )

3) Trojan.Win32.Downloader.61952.CU adds registry like below.

HKLM\SYSTEM\ControlSet001\Services\sysdrv32\ImagePath:

"\??\C:\WINDOWS\system32\drivers\sysdrv32.sys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

System Monitor: "C:\WINDOWS\system\winrsc.exe"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32\0000\Service: "sysdrv32"

4) Trojan.Win32.Downloader.61952.CU's network runs like below.

[PIC 1] Send packets to same bandwidth continously

5) Trojan.Win32.Downloader.61952.CU can be spread out via shared folder and USB by created autorun.inf.

[PIC 2] Autorun.inf

[How to repair]

Reparable by ViRobot engine ver.2009-09-01.00.

Copyright 2008 @ HAURI Inc. All rights reserved.