|
|
|
For future Ref. all I did was go to Google and searched for bvt.exe and this popped up. I also checked my computers and these files do not exist in the systems. In other words, just delete them, they are part of the trojan.
-=-=-
Virus Name Downloader-W
Risk Assessment Low
Virus Information
Discovery Date:
04/09/2002
Origin:
Unknown
Length:
Varies
Type:
Trojan
SubType:
Win32
Minimum Dat:
4198
Minimum Engine:
4.1.50
DAT Release Date:
04/24/2002
Description Added:
04/19/2002
Description Modified:
04/30/2002 4:38 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate this page
Print This Page
Virus Characteristics
A JavaScript was recently found on a two webpages (on koolkatalog.com and online1net.com), which
exploits the Microsoft VM ActiveX Component" Vulnerability. The script modifies the Internet Explorer
security settings to automatically install all ActiveX Controls. As a result, an ActiveX Control gets
installed, which downloads other trojan components. This ActiveX Control can be found in the
%WinDir%\Downloaded Program Files folder as IO Class. Checking the properties of this file will
show a CodeBase reference to ONLINE1NET.COM.
There are several components to this trojan:
MNSVC.EXE (20,480 bytes) - This is the part that downloads AUSVC.EXE from
http://www.wwws1.com/. It contains the text: "MinStaller Mutex"
AUSVC.EXE (57,344 bytes) - This downloads the rest of the trojan. It contains the text:
"Autoupdater Mutex"
BVT.EXE (114,760 bytes) - This is an Internet Explorer Browser Plugin. It contains the text
"BrowserEvt"
ABSR.EXE (118,858 bytes) - This is another IE Plugin. It contains the text "AutoBrowser"
AUUPG.EXE (69,632 bytes) - This appears similiar to AUSVC.EXE, but it doesn't have the
same text.
COOLSTUFF.OCX (65,653 bytes) - This ActiveX Control makes referrence to several
commerical firewall programs, as well as the other trojan components. It works inconjunction
with setup information type files, which reside on a webserver, to download and install trojan
components.
EA.BIN (366,438 bytes) - File contains numbers. It's currently unclear what the purpose of this
file is.
MBTCD.BAK (8,884 bytes) - File contains encrypted data. It's currently unclear what the
purpose of this file is.
Msvcp60.dll (401,462 bytes) - This is not a trojan file, but rather a Microsoft C++ Runtime
Library used by other trojan components. This .DLL is typically found in the SYSTEM directory
on non-infected systems. A second copy may be found in the WINDOWS directory on infected
systems.
UNDO.BAT (49 bytes) - This file simply calls %TEMP%\undo.exe and then deletes the
UNDO.EXE file.
UNDO.EXE (57,405 bytes) - An uninstaller to remove the trojan.
Top of Page
Symptoms
- Presence of the files mentioned above.
- Presence of registry run keys which point to these files:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Some users also report that this trojan causes crashes.
Top of Page
Method Of Infection
This trojan gets installed when visiting a hosting website. Currently http://www.koolkatalog.com and
http://www.online1net.com, contains malicous javascript code which installs MNSVC.EXE, as well as
the COOLSTUFF.OCX ActiveXControl.
Trojan components are downloaded to the temp directory as FF0*.tmp is compressed form. The files
are then extracted to the WINDOWS directory.
Top of Page
Removal Instructions
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions
Go to the directory: %WinDir%\Downloaded Program Files
Right-click on IO Class and choose REMOVE
Delete any registry keys that reference the files mentioned in the characteristics section of this
description
Restart the computer
Delete the files mentioned in the characteristics section of this description
|
|