Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Downloader.Dluca.D

Downloader.Dluca.D

Discovered:
29 October 2003
Updated:
30 October 2003
Systems Affected:
Windows
Downloader.Dluca.D is a downloader trojan that sends information about the compromised system to a specific website.
Downloader.Dluca.D is a trojan program that sends information about the compromised system to a remote website. When the trojan is installed, it creates the following copies of itself:
%System%\DLuxjp-uninstall.exe
C:\Program Files\Dialers\Dluxjp\DLuxjp.exe

It also creates the following icon file:
C:\Program Files\Dialers\Links\DLuxjp.ico

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Dluxjp"="C:\Program Files\Dialers\Dluxjp\Dluxjp.exe /noconnect"

It also inserts the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\DLuxjp\"DisplayName" = "DLuxjp"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\DLuxjp\"UninstallString" = "%System%\DLux-uninstall.exe /uninstall"

HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp\"ICN" = "Y"

HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp\"MIMETRYPE_DESCRIPTION" = ".x"

The trojan then sends system information to a remote system on TCP port 80. It sends the following HTTP GET request:
GET /w/getclientid?srv=winde&ver=0,0,0,70&pin=999997&OSInfo=Windows_4.10.67766446__A__PlatformID_1&GMC=1061242491
HTTP/1.1