Virus:TR/Dldr.iBill.BF
Date discovered:25/10/2008
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:31.232 Bytes
MD5 checksum:488307fee7b6901b7715fc958c83e5d0
VDF version:7.00.07.088
IVDF version:7.00.07.090

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Inject.jiq
   •  F-Secure: Trojan.Win32.Inject.jiq
   •  Sophos: Troj/Agent-IAS
   •  Eset: Win32/AutoRun.Agent.AD
   •  Bitdefender: Win32.Worm.Autorun.NT


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Registry modification

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Microsoft Common\svchost.exe



It deletes the initially executed copy of itself.




It tries to download a file:

– The locations are the following:
   • http://www.univnext.cn/**********
   • http://cjusbciw123.com/**********
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\explorer.exe]
   • Debugger = "%PROGRAM FILES%\Microsoft Common\svchost.exe"

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • www.microsoft.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Monday, November 3, 2008
Description updated by Andrei Gherman on Tuesday, November 4, 2008

Back . . . .