TROJ_DLOADER.PFR

Malware type: Trojan

Aliases: Trojan.Win32.Agent.hnl (Kaspersky), Winfixer (McAfee), Downloader.MisleadApp (Symantec), TR/Agent.6144.108 (Avira), Mal/Emogen-G (Sophos), Program:Win32/Winfixer (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates registry entries to enable its automatic execution at every system startup. It drops copies of itself in the Windows Common Startup folder to enable its automatic execution at every system startup.

It accesses Web sites to download files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

For additional information about this threat, see:

Description created: Sep. 28, 2007 8:54:49 AM GMT -0800


TECHNICAL DETAILS


File type: EXE

Memory resident:  No

Size of malware: 6,150 Bytes

Initial samples received on: Sep 28, 2007

Details:

Arrival

This Trojan is downloaded unknowingly by a user when visiting malicious Web sites.

Installation

This Trojan drops the following copies of itself:

  • %Application Data%\findfast.exe
  • %System%\spoolvs.exe
  • %User Startup%\svchost.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Techniques

This Trojan creates the following registry entry to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
findfast = "%Application Data%\findfast.exe"
LaserJet = "%System%\spoolvs.exe"
svchost = "%User Startup%\svchost.exe"

It drops the following copy of itself in the Windows Common Startup folder to enable its automatic execution at every system startup:

  • FILE: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\START MENU\Programs\Startup\svchost.exe

Download Routine

This Trojan accesses Web sites to download the following files:

  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/antivir.exe - already detected by Trend Micro as ADW_PRIVACY.A
  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/drvcleaner.exe - already detected by Trend Micro as ADW_PRIVACY.A
  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/errprotec.exe - already detected by Trend Micro as ADW_PRIVACY.A
  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/errsafer.exe - already detected by Trend Micro as ADW_PRIVACY.A
  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/prprotect.exe - already detected by Trend Micro as ADW_PRIVACY.A
  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/spoolsv.dll - already detected by Trend Micro as ADW_PRIVACY.A
  • http://{BLOCKED}.privacyprotector.com/MTcxODY=/6190/sysdoctor.exe - already detected by Trend Micro as ADW_PRIVACY.A

As a result, malicious routines of the downloaded files are exhibited on the affected system.

Affected Platforms

This Trojan runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


SOLUTION


Minimum scan engine version needed: 8.300

Pattern file needed: 4.719.00

Pattern release date: Sep 28, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: To fully remove all associated malware, perform the clean solutions for the following:

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Run
  3. In the right panel, locate and delete the following entries:
    findfast = "%Application Data%\findfast.exe"
    LaserJet = "%System%\spoolvs.exe"
    svchost = "%User Startup%\svchost.exe"
  4. Close Registry Editor.

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_DLOADER.PFR. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.