Virus:TR/Dldr.Tcom.1
Date discovered:19/07/2005
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:5.632 Bytes
MD5 checksum:8e3cf147f6d642b4e0808cec743d856e
VDF version:6.31.0.234

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Download.Trojan
   •  Mcafee: Downloader-ACS
   •  Kaspersky: Trojan-Downloader.Win32.Murlo.as
   •  TrendMicro: TROJ_VIDLO.K
   •  Sophos: Troj/Vidlo-R
   •  VirusBuster: Trojan.DL.Vidlo.H


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Downloads malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\%executed file%



It deletes the initially executed copy of itself.



It deletes the following file:
   • %malware execution directory%\a.bat



The following files are created:

%malware execution directory%\a.bat This is a non malicious text file with the following content:
   • :l
     del %1
     if exist %1 goto l
     del %0

%SYSDIR%\dllsys.dll



It tries to download some files:

– The locations are the following:
   • http://www.**********.net/images/2.exe
   • http://www.**********.ru/eshop/sys/2.exe
   • http://**********.com.ua/files/2.exe
   • http://www.**********.ru/test/pics/2.exe
   • http://**********/unix/2.exe
It is saved on the local hard drive under: %HOME%\local settings\temporary internet files Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Tcom.2


– The locations are the following:
   • http://www.**********.net/images/3.exe
   • http://www.**********.ru/eshop/sys/3.exe
   • http://**********.com.ua/files/3.exe
   • http://www.**********.ru/test/pics/3.exe
   • http://**********/unix/3.exe
It is saved on the local hard drive under: %HOME%\local settings\temporary internet files Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\software\microsoft\windows\currentversion\run\]
   • "winldr"="%WINDIR%\%executed file%"

Description inserted by Sergiu Oprea on Wednesday, August 3, 2005
Description updated by Sergiu Oprea on Friday, August 26, 2005

Back . . . .