Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Downloader.BO

Downloader.BO

Discovered:
12 November 2002
Updated:
12 November 2002
Systems Affected:
Windows
Downloader.BO is a trojan program that downloads and installs Backdoor.Jeem (MCID 907) on the compromised host.
Downloader.BO is a trojan program that downloads and installs Backdoor.Jeem (MCID 907) on the compromised host. The trojan may arrive in a spam mailing with the following properties:
Subject: mail

Attachment: masteraz.exe

Message Body: Hello! check out the best FREE site!

The email message may attempt to exploit the Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524) in order to execute the attachment when the message is viewed or previewed in vulnerable versions of Outlook and Outlook Express.

When the attachment is executed, the trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6\Time <the time that the Trojan was executed>

The trojan then connects to http://masteraz.hypermart.net and downloads a file named counter.c. This file is saved locally as OUTPUT.EXE then executed by the trojan. OUTPUT.EXE is a copy of Backdoor.Jeem.

If the trojan was not successful in downloading the remote file, it creates the following registry entry so that it will execute again when Windows restarts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\.inr\5Nzg1mOWKzFnuvu6 <the Trojan file name>

If the download is successful, the trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6\(Default) Done

Next, a Perl script on the hypermart.net user's site is accessed that sends the country of the compromised system to the trojan's author.