FRISK Software International

Virus Info > Virus Threats > Downloader.AYEV


Summary of W32/Downloader.AYEV
Discovered: 21 Jan 2007
Definition files: 21 Dec 2006
Risk Level: Medium
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Downloader.AYEV is a Trojan that downloads and executes code from the Internet. It sends e-mails to harvested e-mail addresses from the infected computer. The e-mails contain a copy of the Trojan as an attachment.


Technical Description
Upon first execution it copies itself to %SYSDIR%\alsys.exe.

Adds the value:

"Agent"="%SYSDIR%\alsys.exe"

to the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

to make sure it is executed at startup.

It drops a random named executable file in the directory it is run from. The dropped file is detected as W32/Downloader.AYEU.

It disables the Windows firewall and some security related processes.

Harvests e-mail addresses from the infected system and send sends e-mail to them with the following characteristics.

From address is spoofed.

Subject is chosen from a long hardcoded list containing such subjects as:

The Dance of Love
I Believe
A Romantic Place
Steamy Dream

The body of the message is empty

Attached is a copy of the Trojan named one of the following:

Flash Postcard.exe
flash postcard.exe
greeting postcard.exe
Greeting Postcard.exe
greeting card.exe
Greeting Card.exe
postcard.exe
Postcard.exe


Removal Instructions
For general removal instructions please click here.

Marteinn Þór Harðarson
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cyle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net