This Trojan program is a Windows PE EXE file approximately 7KB in size, written in Delphi, and packed using UPX. The unpacked file is approximately 39KB in size.
The Trojan file may be copied as twink64.exe.
The Trojan may download other Trojan programs from the Internet and launch them on the victim machine. Files listed below are downloaded from http://ve***z.biz:
1.dat
2.dat
3.dat
com.exe
intron.exe
ir.exe
lpt.exe
mouse.exe
printer.exe
usb.exe
windos.exe
These files will then be copied to the Windows system directory and executed.
Virus Information
Prevalence:
Medium
Name: Downloader-LU
Type: Internet Trojan
How it spreads: Internet Downloads
Affected operating: Windows
Aliases: Troj/Dloader-BW, Trojan-Downloader.Win32.Delf.cb
Date of surface: 2 August 2005
MediumName: Downloader-LU
Type: Internet Trojan
How it spreads: Internet Downloads
Affected operating: Windows
Aliases: Troj/Dloader-BW, Trojan-Downloader.Win32.Delf.cb
Date of surface: 2 August 2005
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on
and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on
and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
This Trojan program is a Windows PE EXE file approximately 7KB in size, written in Delphi, and packed using UPX. The unpacked file is approximately 39KB in size.
The Trojan file may be copied as twink64.exe.
The Trojan may download other Trojan programs from the Internet and launch them on the victim machine. Files listed below are downloaded from http://ve***z.biz:
1.dat
2.dat
3.dat
com.exe
intron.exe
ir.exe
lpt.exe
mouse.exe
printer.exe
usb.exe
windos.exe
These files will then be copied to the Windows system directory and executed.
Once launched, the Trojan copies itself to the Windows system directory as host.32.exe
%System%\host32.exe
It then registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ControlPanel"="%System%\host32.exe internat.dll,LoadKeyboardProfile "
This ensures that the Trojan file will be launched each time Windows is rebooted on the victim machine.
The Trojan file may be copied as twink64.exe.
The Trojan may download other Trojan programs from the Internet and launch them on the victim machine. Files listed below are downloaded from http://ve***z.biz:
1.dat
2.dat
3.dat
com.exe
intron.exe
ir.exe
lpt.exe
mouse.exe
printer.exe
usb.exe
windos.exe
These files will then be copied to the Windows system directory and executed.
Once launched, the Trojan copies itself to the Windows system directory as host.32.exe
%System%\host32.exe
It then registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ControlPanel"="%System%\host32.exe internat.dll,LoadKeyboardProfile "
This ensures that the Trojan file will be launched each time Windows is rebooted on the victim machine.
