| Risk Assessment | |
| - Home Users: | Low |
| - Corporate Users: | Low |
| Date Discovered: | 6/20/2007 |
| Date Added: | 6/20/2007 |
| Origin: | N/A |
| Length: | 8.192 |
| Type: | Trojan |
| SubType: | Downloader |
| DAT Required: | 5059 |
Virus Characteristics
Detection was added to cover for a malicious 32 bit PE downloader file originally called "systime.exe" , having a filesize of 8.192 bytes.Upon running, it runs silently, no gui messageboxes appear on the screen.
It immediately copies itself onto the %system32 folder and creates a registry entry to run automatically upon system start, for example on win2k:
- c:\WINNT\system32\systime.exe
It might also copy itself to the root of the c: drive, with the c:\systime.exe location actually hardcoded inside.
It tries to download a binary called "network.exe" from : http://drsun####.go#.icp##.## , but at test time the binary was not accessible. The exact address is changes on purpose here with # markings.
Indications of Infection
- Presence of "systime.exe" , having a filesize of 8.192 bytes.
- Network connections to http://drsun####.go#.icp##.## , the exact address is changes on purpose here with # markings.
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).