What do these four attackers do - 'BehavesLike.Win32.Malware.klt (mx-v)', 'Trojan.Win32.Generic!BT', 'Trojan-Dropper.Win32.Agent.bjw' and 'Zango[780]'

jana
jana used Ask the Experts™
on
Can an EE tell what type of attacks does the following infections do:

    1 .BehavesLike.Win32.Malware.klt (mx-v)
     2. Trojan.Win32.Generic!BT
     3. Trojan-Dropper.Win32.Agent.bjw
     4. Zango[780]

Can you also give some sort of example of the attack?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The first two might just be false positives.

For the third one, see the description for it here.

The last one for Zango is most likely some program bundled with some install file for a program. It's adware based. Not harmful, but it can be flagged by some scanners due to its nature (ads).
Well if you are getting all of these from one package. The installer acts a disguise for the dropper to download additional unauthorized software to be run by the malicious installer package, it then attempts to alert the creator of the installation with connection details or w/e they added for functionality. Usually they kill antivirus/firewall, disable updates, and then install stealthing software among other tools to clean/hide there presence. From there on it's open door to anything they want. Zango is used to make the package appear to be legit. A lot of packages like these ones are part of criminal underground market profit sources, they get paid per how many installations they get and how useful they are IE: Botnets, DDoS attacks, cracking services, just to name a few. Just shows how careful you really need to be with downloads and surfing the net these days.

Most of these types of attacks are social engineering attacks. They post legitimate looking programs and make it appealing to people to download whether it be a catchy title or something useful like a search engine they all have a hidden purpose and usually not good. No special exploits are needed for these types of attacks as they are basic in nature and really of people being naive in there decision making.

Author

Commented:
greyknight17:

   How can I make sure the first two might just be false positives?

Russell_Venable:

  I'm not getting this from the same package;  its four separate apps with the problem:

    - sqlassist.dll     (BehavesLike.Win32.Malware.klt)
    - tmg-trecorder32.exe      (Trojan.Win32.Generic!BT)
    - convertsbatch&scipts-to-execs,exescript.exe      (Trojan-Dropper.Win32.Agent.bjw)
    - vlcsetup.exe      (Zango[780])

    Just to make sure, everything you said in the first paragraph and prior the sentence beginning
    with "Zango is used..." is referencing the first three bad files below?

       - BehavesLike.Win32.Malware.klt (mx-v)
       - Trojan.Win32.Generic!BT
       - Trojan-Dropper.Win32.Agent.bjw
   
   (i'm trying to really understand these 3 files)
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Yes, this comes as a kit. Injectioned dll file, dropper,  and the backbone Trojan that gives access. They are sometimes packages separately buy usually come in a full package. If it was packed it would not tell you about those files. So your telling me you downloaded all four files separately?

Author

Commented:
yes, they are different programs I download in different times (SQL Aassist, TMG-trecorder32.exe, exescript.exe and vlcsetup.exe).

can this make a difference?
According to your antivirus it detects that "vlcsetup.exe" has code that downloads a file remotely as soon as it is executed. It's not harmful if you downloaded straight from original source, otherwise it could contain malicious content. Further analysis shows that the file "TMG-trecorder32.exe" is a renamed "cracked" version of the original software. Usually those folks "Team TMG" are known for binding Trojans and other badies into there "cracked" software distributions. Getting back to your question. Yes, it does make a difference.

Author

Commented:
Thanx

Author

Commented:
THANX

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial