Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.RO.1.A
Date discovered:13/12/2012
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:3.413 Bytes
MD5 checksum:C5FAF94C1EF23E69CBDD36B93F7957E3
VDF version:7.11.53.216

 General    • No own spreading routine


Aliases:
   •  Symantec: Downloader.Trojan
   •  Kaspersky: Troj/Dloader-RO
   •  Sophos: Troj/Dloader-RO


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Programming language:
The malware program was written in Delphi.

 Files It tries to download some files:

The location is the following:
   • http://85.255.**********/troys/kl.txt
It is saved on the local hard drive under: %WINDIR%\kl.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: BDS/Smal.vg.6.A


The location is the following:
   • http://85.255.**********/troys/tool1.txt
It is saved on the local hard drive under: %WINDIR%\tool1.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/tool2.txt
It is saved on the local hard drive under: %WINDIR%\tool2.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/tool3.txt
It is saved on the local hard drive under: %WINDIR%\tool3.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/tibs.php
It is saved on the local hard drive under: %WINDIR%\tibs.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/paytime.txt
It is saved on the local hard drive under: %WINDIR%\paytime.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/paydial.txt
It is saved on the local hard drive under: %WINDIR%\paydial.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/newdial.txt
It is saved on the local hard drive under: %WINDIR%\newdial.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/ms1.txt
It is saved on the local hard drive under: %WINDIR%\ms1.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/ms2.txt
It is saved on the local hard drive under: %WINDIR%\ms2.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/ms3.txt
It is saved on the local hard drive under: %WINDIR%\ms3.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/ms4.txt
It is saved on the local hard drive under: %WINDIR%\ms4.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://85.255.**********/troys/hosts.txt
It is saved on the local hard drive under: %WINDIR%\hosts

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • n-glx.s-redirect.com
   • x.full-tgp.net
   • counter.sexmaniack.com
   • autoescrowpay.com
   • www.autoescrowpay.com
   • www.awmdabest.com
   • www.sexfiles.nu
   • awmdabest.com
   • sexfiles.nu
   • allforadult.com
   • www.allforadult.com
   • www.iframe.biz
   • iframe.biz
   • www.newiframe.biz
   • newiframe.biz
   • www.vesbiz.biz
   • vesbiz.biz
   • www.pizdato.biz
   • pizdato.biz
   • www.aaasexypics.com
   • aaasexypics.com
   • www.virgin-tgp.net
   • virgin-tgp.net
   • www.awmcash.biz
   • awmcash.biz
   • buldog-stats.com
   • www.buldog-stats.com
   • fregat.drocherway.com
   • slutmania.biz
   • www.slutmania.biz
   • toolbarpartner.com
   • www.toolbarpartner.com
   • www.megapornix.com
   • megapornix.com
   • www.sp2fucked.biz
   • sp2fucked.biz
   • greg-tut.com
   • www.greg-tut.com
   • nylonsexy.com
   • www.nylonsexy.com
   • vparivalka.com
   • www.vparivalka.com
   • iframeprofit.com
   • www.iframeprofit.com
   • topsearch10.com
   • www.topsearch10.com
   • statscash.biz
   • www.statscash.biz
   • vxiframe.biz
   • www.vxiframe.biz
   • crazy-toolbar.com
   • www.crazy-toolbar.com
   • topcash.biz
   • www.topcash.biz
   • loadcash.biz
   • www.loadcash.biz
   • txiframe.biz
   • www.txiframe.biz
   • procounter.biz
   • www.procounter.biz
   • advadmin.biz
   • www.advadmin.biz
   • trafficbest.net
   • www.trafficbest.net
   • besthvac.com
   • www.besthvac.com
   • traff4.com
   • www.traff4.com




The modified host file will look like this:


Description inserted by Andrei Gherman on Wednesday, August 10, 2005
Description updated by Andrei Gherman on Friday, April 7, 2006

Back . . . .