Downloader.CashToolbar
Category: Trojan Downloader
Risk:
High Risk
* High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May use a security flaw in the operating system to gain access to your computer.
Description: This detection is for a downloading trojan that serves only to download and execute a remote file. Once executed, it installs itself on the victim machine using deceptive file and folder names: c:\WINNT\system32\drivers\cd_load.exe c:\WINNT\system32\inetsrv\MSCStat.exe The following Registry hooks are added: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRun "CashToolbar" = C:\WINNT\system32\inetsrv\MSCStat.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRun "ClickTheButton" = C:\WINNT\system32\drivers\cd_load.exe After a delay, the following fake error message is displayed: "Windows Error: Windows has detected spyware, click OK to remove." Upon clicking OK, the trojan attempts to download remote files.
Alias: Downloader-MY
Signatures:
process: svchost.exe: MD5 Hash: aeedc5c251b79785ad8
process: svchost.exe: MD5 Hash: e0fa3d9f794aaaa7c8f
process: cd_load.exe: MD5 Hash: b7f400e556e56b04826
process: cd_load.exe: MD5 Hash: 553dd729461cef24bd6
process: cd_load.exe: MD5 Hash: 5fca53ad4a905685db3
process: mscstat.exe: MD5 Hash: df7f8bbb39861572c56..
Copyright @2006 THR Computer Solutions: Downloader.CashToolbar