| Detection added |
Jun 15 2006 18:19 GMT |
| Update released |
Jun 15 2006 20:13 GMT |
| Description added |
Oct 03 2006 |
| Behavior |
TrojanDownloader |
This Trojan downloads files via the Internet without the user's knowledge
or consent.
The Trojan itself is a Windows PE EXE file, written in Visual C++. It is not
packed in any way. The file size may vary from 55KB to 95KB.
When launching, the Trojan causes the following dialogue box to be displayed:
Once the user clicks on "Continue", the Trojan connects to 66.244.***.178
(*****.errorsafe.com) and downloads software called ErrorSafe:
The Trojan loads the setup.exe file (2352848 bytes in size) to %temp%\NI.UERS_0001_N85M0906
and then launches it for execution. This files installs a program which contains
another Trojan program within it. This Trojan will be detected by Kaspersky
Anti-Virus as Trojan-Downloader.Win32.Agent.aqh.
The Trojan also creates a unique identifier, "InstallMutex", to flag its presence
in the system.
