This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Trojan-Downloader:W32/Mebroot.gen!B is a Generic Detection that identifies the downloader program responsible for fetching the installer for the Mebroot rootkit, which is discussed in further detail in the following Labs Weblog posts:
The downloader is known to be distributed to users via a malicious website (driveby download) or via an exploit.
When active, the downloader downloads an encrypted file on port 443 or 80 from:
- http://bcoxgcgxes.com (encrypted file)
where (encrypted file) is a defined string. This string is unique in every sample.
Once downloaded, the encrypted file is first saved in an allocated memory where it will be decrypted, then saved to a file in a temporary folder. The file will then be executed.
The encrypted file is encrypted with an RC2 encryption algorithm. The Cipher Hash that is used in the decryption is based on a defined string that is also unique in every sample.
About Generic Detections
Unlike more traditional detections (also known as signatures or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.
For more information about Generic Detections, please see the Generic Detection description.