TROJ_DASMIN.C

Malware type: Trojan

Aliases: Trojan.Win32.Dasmin.a (Kaspersky), Generic StartPage.c (McAfee), HEUR/Malware (Avira), Troj/Dasmin-Gen (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95/98/NT/2000/ME/XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 
This malware is a UPX-compressed, multi-threaded Trojan that, once activated, is able to carry out the following routines in the affected system:

  • Reinstall itself in the infected system every five seconds
  • Replace the Windows hosts file with a file downloaded from a remote site
  • Download files from a remote site and execute them locally
  • Download a file from a remote site and modify Internet Explorers Search Page and Homepage according to the downloaded files contents
  • Download a list of file names from a remote site and, if one of the files in the list is in the Windows AutoStart registry key, delete this and its corresponding registry entry
  • Download a list of file names from a remote site, and if one of the files in the list is in the Windows AutoStart registry key, it will be terminated and then deleted and its corresponding autostart registry entry removed
  • Connect to a particular URL

This malware works on Windows 95, 98, NT, 2000, ME and XP systems.

Note: This malware uses a bear as an icon and the file name JDBGMRG.EXE to fool users into thinking that it is the JDBGMGR.EXE Hoax".

For additional information about this threat, see:

Description created: Jan. 3, 2003 2:25:03 PM GMT -0800
Description updated: Jan. 3, 2003 2:26:59 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 9,216 Bytes � UPX compressed; 15,872 Bytes � Uncompressed

Initial samples received on: Jan 3, 2003

Details:
Arrival and Installation

Upon execution, this Trojan drops a copy of itself in the Windows system directory as JDBGMRG.EXE and AVIRCHK.EXE.

So that it is executed at every system startup, under this key,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

it creates the following registry entries:

MSConfigr = "%System%\JDBGMRG.EXE"

VirusCheckII = "%System%\AVIRCHK.EXE"

and under this key,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices

it creates the following registry entries:

MSConfigr = "%System%\JDBGMRG.EXE"

VirusCheckII = "%System%\AVIRCHK.EXE"

*Where %System% is the Windows system directory, which is usually C:\Windows\System or C:\WINNT\System32.

Also, it creates this registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
OEMCurrentVersion = |tVersion

It leaves a mark indicating that it is already running in the system by creating the following mutex:

{05C13573-B449-4e0b-83F5-7FD612E378E9}

Payload

Once installed in a system, this malware then creates multiple threads that will do the following separately:

  • Reinstall itself in the infected system every five seconds
  • Replace the Windows hosts file with a file downloaded from a remote site
  • Download files from a remote site and execute them locally
  • Download a file from a remote site and modify Internet Explorer�s Search Page and Homepage according to the downloaded file�s contents
  • Download a list of file names from a remote site and, if one of the files in the list is in the Windows� AutoStart registry key, delete this and its corresponding registry entry
  • Download a list of file names from a remote site, and if one of the files in the list is in the Windows� AutoStart registry key, it will be terminated and then deleted and its corresponding autostart registry entry removed
  • Connect to a particular URL

Note: This malware uses a bear as an icon and the filename JDBGMRG.EXE to fool users into thinking that it is the �JDBGMGR.EXE Hoax".

More information on the �JDBGMGR.EXE Hoax� can be found on: http://www.trendmicro.com/vinfo/hoaxes/hoax5.asp?HName=JDBGMGR%2EEXE%20Hoax

This malware works on Windows 95, 98, NT, 2000, ME and XP systems.

Revision History:

First pattern file version: 4.572.08
First pattern file release date: Jun 30, 2007

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 4.573.00

Pattern release date: Jul 1, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the process:
    AVIRCHK.EXE
    JDBGMRG.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entries:
    MSConfigr = "%System%\JDBGMRG.EXE"
    VirusCheckII = "%System%\AVIRCHK.EXE"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entries:
    MSConfigr = "%System%\JDBGMRG.EXE"
    VirusCheckII = "%System%\AVIRCHK.EXE"

    Proceed to remove the additional entry created by the malware:

  6. Still in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion
  7. In the right panel, locate and delete the entry:
    OEMCurrentVersion = |tVersion
  8. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer homepage and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
  5. Click the �Reset Web Settings�� button.
  6. Select �Also reset my home page.� Click Yes.
  7. Click OK.

Restoring the Windows HOSTS file

Since the hosts file is system-specific, please contact your network administrator for a copy of this file.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as TROJ_DASMIN.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Additional Windows ME/XP Cleaning Instructions


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.