This Trojan is designed to steal account data from the online game LineAge2. It is a Windows PE EXE file. It is 654848 bytes in size.

When launched, the Trojan displays the message shown below:

The user is asked to enter the address of the LineAge2 gaming server, and his/ her user name and password. When the "Start" button is pressed, the Trojan sends the details entered in the "IP-Server", "Account" and "Password" fields via email to the address shown below:

The Trojan then ceases running.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program's process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script. It is 677 bytes in size.

Once the Trojan is launched, it uses a vulnerability in the ActiveX component which has the unique system registry identifier shown below:

The vulnerability (CVE-2007-4105) is present in the "DloadDS()" library "BaiduBar.dll". The Trojan attempts to load a file via this vulnerability. The file is located on the remote server shown below:

The file will be saved to the current user's Windows temporary directory and launched for execution.

At the time of writing, the link was not active.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
2. Delete all files from Temporary Internet Files%.
3. Disable the vulnerable ActiveX object (see How to stop an ActiveX control from running in Internet Explorer
4. Empty the temporary directory (%Temp%).

Trojan-Downloader.Win32.Braidupdate.c

This Trojan downloads another program via the Internet and launches it on the victim machine without the user's knowledge or consent. It is a Windows PE EXE file. The size of infected files can range from 18KB to 47KB.

The Trojan contacts the following web site:

There is a list of files for download located on this link.

This list is saved to the directory as shown below:

The links in the file are encrypted.

The Trojan then downloads files from the links and saves them as shown below:

<rnd> stands for a random string of numbers and lower case Latin letters Example: m2zpp.exe, 43m66m.exe.

Once the files have been downloaded, they are launched for execution, and then delete themselves. If the downloaded files are dll files, they will register themselves in the system and be launched for execution next time the system is started.

Once it has delivered its payload, the original Trojan deletes its body.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine) if it has not deleted itself.

This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

The Trojan also extracts the file shown below from its body:

This file is 44608 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.WOW.ahe.

The Trojan also extracts the file shown below from its body:

This file is 31713 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.mdl.

The Trojan loads the .dll file to all processes launched in the system.

The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
wow.exe

It sniffs traffic sent to the following addresses:

216.107.***.53
216.107.***.51
216.107.***.52

It does this in an attempt to harvest account data for the following games:

Maple Story
World of Warcraft

and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web server.

Harvested data is sent to the remote malicious user's site.

The Trojan also modifies the following system registry key parameter values:

The Trojan also attempts to terminate the following processes:

KAV
RAV
AVP
KAVSVC

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:

<X> indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
   %System%\amvo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "amva" = "%System%\amvo.exe"
5. Restore the original system registry key values:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
   der\Hidden\SHOWALL]
   "CheckedValue" = "0"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "2"
   "ShowSuperHidden" = "0"
   [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
   "NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
   %System%\amvo0.dll
7. Empty the temporary directory (%Temp%).
8. Delete the files shown below from all removable disks:
   <X>:\n1deiect.com
   <x>:\autorun.inf
9. <x> stands for the letter of the removable disk.

This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

The Trojan also extracts the file shown below from its body:

This file is 114176 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.szc.

The Trojan also extracts the file shown below from its body:

This file is 29815 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.stcw.

The Trojan loads the .dll file to all processes launched in the system.

The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe 
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

It sniffs traffic sent to the following addresses:

61.220.60.***
61.220.62.***
61.220.56.***
61.220.62.***
203.69.46.***
220.130.113.*** 

It does this in an attempt to harvest account data for the following games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web

server.

The Trojan also modifies the following system registry key parameter values:

The Trojan also attempts to terminate the following processes:

KAV
RAV
AVP
KAVSVC

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:

<X> indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
   %System%\kavo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "kava" = "%System%\kavo.exe"
5. Restore the original system registry key values:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
   der\Hidden\SHOWALL]
   "CheckedValue" = "0"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "2"
   "ShowSuperHidden" = "0"
   [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
   "NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
   %System%\kavo0.dll
7. Empty the temporary directory (%Temp%).
8. Delete the files shown below from all removable disks:
   <X>:\n6j.com
   <x>:\autorun.inf

   <x> stands for the letter of the removable disk.

This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size.

The Trojan downloads a file from the URL shown below by exploiting a vulnerability (CVE-2006-1359) in the processing of "createTextRange" in Microsoft Internet Explorer:

The Trojan saves this file to its working directory as shown below:

The downloaded file will then be launched for execution.

At the time of writing, the link was not active.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the process shown below:
   a.exe
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following file:
   %WorkDir%\a.exe
4. Delete all files from %Temporary Internet Files%.
5. Install the latest patches for Microsoft Internet Explorer.
6. Update your antivirus databases and perform a full scan of the computer.

Bofra.A / MyDoom variant

Exploits SHDOCVW.DLL flaw

Note: Some vendors are referring to the Bofra worm as a variant of MyDoom, though even then there is disagreement as to which variant they claim it is. For example, Symantec (who also calls the widely known Bagle worm the Beagle worm) initially dubbed the Bofra worm as MyDoom.AH then later changed their name to MyDoom.AI). Bofra.A is a mass-mailing email worm that arrives without an attachment and infects when the user clicks on an enticing link contained in the Bofra worm's message. The email link claims to point to an adult video or webcam photos.

Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags.

The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems. Windows XP SP2 is not affected.

The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004.

The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following:

funny photos :)
hello
hey!
blank
random characters

The Message Body varies and may be either of the following:

FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos

The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target).

The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.

A second variant of the worm masquerades as a PayPal notice, claiming that PayPal has charged $175 to your account and providing a link to find 'details'. Of course, clicking the link infects the recipient's computer.

also known as Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Email-Worm.Win32.Zhelatin.a (Kaspersky), Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW (Trend Micro), Win32/Nuwar.N@MM (Microsoft).

Troj/Pushdo-Gen is a family of Trojans for the Windows platform.

When members of Troj/Pushdo-Gen are installed they drop and run a further file in memory, usually detected as Troj/Pushu-Gen or Mal/Basine-C. This may then drop further files, including some of the following:

<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys

These files are used to provide stealthing for the Trojan.

The dropped file in memory will also often attempt to inject further code into Internet Explorer.