This application requires Javascript for optimal performance.

W32/MSNMaker.W!tr.bdr - Released Sep 25, 2006 - Last Updated Sep 30, 2006

Alias/es

Backdoor.MSNMaker.F, Backdoor.Win32.MSNMaker.w, W32/Kelvir.worm.gen

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

presence of the C:\drsmartload.exe

Detailed Analysis

  • The malware attempts to connect to the following sites:
    • 69.64.38.140
    http://www.uglyphotos.net/
    http://content.dollarrevenue.com/
    http://activex.matcash.com/
    http://apps.deskwizz.com/
     and downloads various packages of Adware and Trojan based malwares

  • Some of the downloaded files are as follows:
    • C:\drsmartload.exe
    C:\windows\RDFX4.exe
    C:\drsmartload1.exe
    C:\warebundlenewer.exe
    C:\Installer4.exe
    %SystemDir%\iqmon.dll
    %Windows%\Gck26.exe
    %Systemdir%\lxcalmon.dll
    %Windows%\Downloaded Program Files\speedtest2.dll
    %Program Files%\ToolBar888\MyToolBar.dll
    drsmartload1135a.exe dropped on the current directory
    There are several other files dropped that appears to be randomly named and mostly trojan components.

  • It applies several registry modifications mostly related to the Adware Toolbar components.
    • HKEY_CURRENT_USER\Software\Avenue Media
    HKEY_CURRENT_USER\Software\Effective-i
    HKEY_CURRENT_USER\Software\Maxthon
    HKEY_LOCAL_MACHINE\SOFTWARE\System\sysold
    HKEY_CURRENT_USER\Software\MyToolBar

  • One of its components installs itself as a service with the following registry:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor

  • The malware will spontaneously open up instances of IE.

  • The malware usually disguisses as a shortcut file, and is packed with MEW, having an approximate filesize of 13,629 bytes.

    • Recommended Action



      FortiGate systems:

    • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the " Allow Push Update" option


      • FortiClient systems:

    • Quarantine/Delete infected files detected and replace infected files with clean backup copies


    Reference: ID - 292509