FRISK Software International

Summary of W32/Downloader.AYEV
Discovered: 21 Jan 2007
Definition files: 21 Dec 2006
Risk Level: Medium
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Downloader.AYEV is a Trojan that downloads and executes code from the Internet. It sends e-mails to harvested e-mail addresses from the infected computer. The e-mails contain a copy of the Trojan as an attachment.

Technical Description
Upon first execution it copies itself to %SYSDIR%\alsys.exe.

Adds the value:


to the following registry keys:


to make sure it is executed at startup.

It drops a random named executable file in the directory it is run from. The dropped file is detected as W32/Downloader.AYEU.

It disables the Windows firewall and some security related processes.

Harvests e-mail addresses from the infected system and send sends e-mail to them with the following characteristics.

From address is spoofed.

Subject is chosen from a long hardcoded list containing such subjects as:

The Dance of Love
I Believe
A Romantic Place
Steamy Dream

The body of the message is empty

Attached is a copy of the Trojan named one of the following:

Flash Postcard.exe
flash postcard.exe
greeting postcard.exe
Greeting Postcard.exe
greeting card.exe
Greeting Card.exe

Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)