Discovered: October 29, 2003
Updated: October 30, 2003 5:21:29 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Downloader.Dluca.D is a trojan program that sends information about the compromised system to a remote website. When the trojan is installed, it creates the following copies of itself:
%System%\DLuxjp-uninstall.exe
C:\Program Files\Dialers\Dluxjp\DLuxjp.exe
It also creates the following icon file:
C:\Program Files\Dialers\Links\DLuxjp.ico
It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Dluxjp"="C:\Program Files\Dialers\Dluxjp\Dluxjp.exe /noconnect"
It also inserts the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\DLuxjp\"DisplayName" = "DLuxjp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\DLuxjp\"UninstallString" = "%System%\DLux-uninstall.exe /uninstall"
HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp\"ICN" = "Y"
HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp\"MIMETRYPE_DESCRIPTION" = ".x"
The trojan then sends system information to a remote system on TCP port 80. It sends the following HTTP GET request:
GET /w/getclientid?srv=winde&ver=0,0,0,70&pin=999997&OSInfo=Windows_4.10.67766446__A__PlatformID_1&GMC=1061242491
HTTP/1.1
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine