Code Injection Downloader 1.00

· Overview ·
· Origins ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Vendor Notes:

 From the doc: 'This is a test release of a VB6 web downloader that uses interprocess memory injection on windows 2000 and XP. (similar to the injection process that BO2K used, and others later termed as 'firewall bypass') This serves 2 purposes: - The program does not show up in the active process list - The program will ask for internet access under the name of the program it was injected into rather than it's own. When executed, the server: - displays a fake error message (optional) - extracts and runs bound file (optional) - disable Norton and McAfee AV (2000 and XP) - attempts to inject into Kazaa (2000 and XP) - If Kazaa is not running, it then injects into explorer - The server then downloads the remote file, renames it to .exe and executes it. - Delete's itself from disk (continues to run in memory.) - on 9x boxes, it hides from the tasklist by registering itself as a service, downloads, runs, and ends. - To end the the process on 2000/XP just close Kazaa or explorer (depending on where it was injected)'

Alias:

 Downloader-CV [McAfee], security risk named W32/CIDownloader.A [F-Prot], Trojan Horse [Panda], Trojan Horse.LC [Panda], TrojanDownloader.Win32.Injecter, TrojanDownloader.Win32.Injecter [Kaspersky], virus construction tool [F-Prot], Win32/Injecter!Downloader [Computer Associates]

Category:

Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Similar Pests:

 Downloader · Trojan

Origins

Group:

 porno-sonic

Programming Language:

 Visual Basic

Date of Origin:

 May, 2003

Operation

Storage Required:
  • Code Injection Downloader 1.00: at least 237 KB
    		•

    Restart:

    		 None.
    Autostarting Pests

    ScreenShot:


    Code Injection Downloader

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove Code Injection Downloader 1.00 from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 February 27, 2005