W32/MSNMaker.W!tr.bdr

Alias/esBackdoor.MSNMaker.F, Backdoor.Win32.MSNMaker.w, W32/Kelvir.worm.gen
Release DateSep 25, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

presence of the C:\drsmartload.exe

Detailed Analysis

  • The malware attempts to connect to the following sites:
    • 69.64.38.140
    http://www.uglyphotos.net/
    http://content.dollarrevenue.com/
    http://activex.matcash.com/
    http://apps.deskwizz.com/
     and downloads various packages of Adware and Trojan based malwares

  • Some of the downloaded files are as follows:
    • C:\drsmartload.exe
    C:\windows\RDFX4.exe
    C:\drsmartload1.exe
    C:\warebundlenewer.exe
    C:\Installer4.exe
    %SystemDir%\iqmon.dll
    %Windows%\Gck26.exe
    %Systemdir%\lxcalmon.dll
    %Windows%\Downloaded Program Files\speedtest2.dll
    %Program Files%\ToolBar888\MyToolBar.dll
    drsmartload1135a.exe dropped on the current directory
    There are several other files dropped that appears to be randomly named and mostly trojan components.

  • It applies several registry modifications mostly related to the Adware Toolbar components.
    • HKEY_CURRENT_USER\Software\Avenue Media
    HKEY_CURRENT_USER\Software\Effective-i
    HKEY_CURRENT_USER\Software\Maxthon
    HKEY_LOCAL_MACHINE\SOFTWARE\System\sysold
    HKEY_CURRENT_USER\Software\MyToolBar

  • One of its components installs itself as a service with the following registry:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor

  • The malware will spontaneously open up instances of IE.

  • The malware usually disguisses as a shortcut file, and is packed with MEW, having an approximate filesize of 13,629 bytes.

    • Description Last Updated Date: Sep 30, 2006
    Reference: ID - 292509