Dr.Web Anti-virus - Innovative IT-Security Solutions
Global Sites
Russia (Headquarter)
Estonia Finland France Germany Greece Hungary Italy Iran Israel Japan Kazakhstan Lithuania Poland Portugal Slovakia Spain Taiwan Ukraine


Latest Released Update : (HKT) 2013-05-21 07:01
Virus Database Total Records : 4037753
Home About Dr.Web Products Downloads Purchase FAQ Contact Us  
Dr.Web Anti-virus Video Channel  

‹ How To Remove Virus "Trojan.DownLoader6.7996" ›

Technical Information
Virus Name : Trojan.DownLoader6.7996
Named By : Dr.Web

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001] 'LibraryPath' = 'mswsock.dll'
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003] 'LibraryPath' = 'mswsock.dll'
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = ''
  • [<HKLM>\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = ''
Malicious functions:
Injects code into
the following system processes:
  • <SYSTEM32>\services.exe
  • %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
  • %WINDIR%\Installer\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\n
  • %WINDIR%\assembly\GAC\Desktop.ini
  • %WINDIR%\Installer\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\@
  • <LS_APPDATA>\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\@
  • <LS_APPDATA>\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\n
Sets the 'hidden' attribute to the following files:
  • %WINDIR%\Installer\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\@
  • %WINDIR%\Installer\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\n
  • <LS_APPDATA>\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\@
  • <LS_APPDATA>\{2ebe1c2e-2a38-cb36-436c-4d1cb8c2630c}\n
Deletes itself.
Network activity:
Connects to:
  • '20#.#08.79.128':80
TCP:
HTTP GET requests:
  • 20#.#08.79.128/count.php?id########################
  • 20#.#08.79.128/count.php?id#########################
  • 20#.#08.79.128/count.php?id#######################
UDP:
  • DNS ASK $�#4^�
  • DNS ASK $�#���U
  • DNS ASK $�#�ϔg
  • DNS ASK $�#�u'�
  • DNS ASK $�#�O=
  • DNS ASK $�#-,��
  • DNS ASK pr####.fling.com
  • DNS ASK $�#���
  • DNS ASK $�#+uߎ
  • DNS ASK $�#��
  • '24.##6.57.162':16471
  • '21#.#7.157.93':16471
  • '17#.#64.166.153':16471
  • '20#.#25.140.57':16471
  • '68.##4.11.100':16471
  • '18#.#97.80.86':16471
  • '95.##0.192.161':16471
  • '94.##.218.52':16471
  • '17#.#1.46.15':16471
  • '89.##4.213.91':16471
  • '18#.#5.216.48':16471
  • '18#.#8.47.41':16471
  • '81.#98.10.6':16471
  • '85.##5.212.9':16471
  • '96.##.168.56':16471
  • '18#.#8.106.146':16471
  • '58.#.46.119':16471
  • '18#.#1.177.40':16471
  • '10#.#3.85.129':16471
  • '31.##6.190.228':16471
  • '71.##.140.222':16471
  • '17#.#01.7.125':16471
  • '21#.#83.130.196':16471
  • '12#.#86.184.165':16471
  • '18#.#29.143.50':16471
  • '89.##5.29.162':16471
  • '21#.#4.150.155':16471
  • '97.##.117.168':16471
  • '31.##7.54.36':16471
  • '24.#3.54.58':16471
Please note : some of the characters are replaced with symbols in order to prevent improper access to malwares.

Steps to remove "Trojan.DownLoader6.7996" automatically
  • Download Dr.Web CureIt! and save it in desktop.
  • Download Security Space Pro 7.0 (32/64-bit), save it in desktop.
  • Reboot computer to Safe Mode (press F8 before any Microsoft logo appears).
  • Double click "cureit.exe" on desktop, follow on screen instructions to scan hard disk.
    (Wait patiently, it may take 20-60 minutes to perform an express scan.)
  • After scanning is done, select all viruses found and choose "Cure".
    (If some files are not suitable to be cured, choose "Quarantine" or "Delete".)
  • When all viruses found are cured, quarantined, or deleted, reboot to Normal Mode.
  • Uninstall existing anti-virus software which cannot kill the viruses, and then reboot again.
  • Locate the setup file of Security Space Pro on desktop, double click to run it.
    (For step-by-step procedures, please refer to installation video guide.)
  • During setup, choose to obtain a demo key.
  • After first time update, the scanner will be launched again, quit the scanner at this point.
  • Complete the setup by rebooting computer.
  • When time is allowed (may need several hours), perform a full scan in Dr.Web Scanner.
Note :
  • If it is unable to start Windows due to virus infection, try Dr.Web LiveCD or Dr.Web LiveUSB instead of Dr.Web CureIt!
  • Time needed for express scan or full scan relies on many factors, such as system performance, available memory, running processes, number of drives and files, etc.

‹ Dr.Web CureIt! › Select Download Source

Dr.Web Global Servers Google Drive SkyDrive
Released :
2013-05-20 03:49		 Released :
2013-05-21 03:09		 Released :
2013-05-21 03:09
Download Dr.Web CureIt! from Dr.Web Global Servers Download Dr.Web CureIt! from Google Drive Download Dr.Web CureIt! from SkyDrive

‹ Dr.Web Security Space Pro › Select Download Source

Dropbox Google Drive SkyDrive
Released :
2013-02-07 16:02		 Released :
2013-02-07 16:02		 Released :
2013-02-07 16:02
Download Dr.Web Security Space Pro from Dropbox Download Dr.Web Security Space Pro from Google Drive Download Dr.Web Security Space Pro from SkyDrive

WINDOWS 7, VISTA, XP
MAC OS X 10.4 OR ABOVE

TOP 5 EMAIL VIRUSES (24HR)
07:01
 
Trojan.PWS.Panda.3734
Trojan.PWS.Panda.3734
 
Win32.HLLM.MyDoom.54464
Win32.HLLM.MyDoom.54464
 
Win32.HLLM.MyDoom.33808
Win32.HLLM.MyDoom.33808
 
Trojan.DownLoad3.23586
Trojan.DownLoad3.23586
 
Win32.HLLM.Beagle
Win32.HLLM.Beagle

TOP 5 FILE VIRUSES (24HR)
07:01
 
Win32.HLLW.MyBot
Win32.HLLW.MyBot
 
SCRIPT.Virus
SCRIPT.Virus
 
Adware.Downware.915
Adware.Downware.915
 
Adware.Downware.1157
Adware.Downware.1157
 
Tool.Skymonk.13
Tool.Skymonk.13

FREE ANTI-VIRUS TOOLS
  » Dr.Web CureIt!
  » Dr.Web LiveCD
  » Dr.Web LiveUSB
  » Dr.Web Light for Mac OS X
  » LinkChecker for Google Chrome
  » LinkChecker for Internet Explorer
  » LinkChecker for Mozilla Firefox
  » LinkChecker for Opera
  » LinkChecker for Safari

Member of CHKCI
|
Click to Verify Domain Originator
:: Privacy Policy Statement ::

Grand Tech Trading Limited © 2010-2013 (Sole Distributor of Dr.Web in Hong Kong & Macau)
Dr.Web Anti-virus - Innovative IT-Security Solutions
Doctor Web ©
2003 - 2013
 Doctor Web is a Russian IT-security solutions vendor. Dr.Web anti-virus software has been developed since 1992. The leader on the Russian IT security services market, Doctor Web has been the first vendor that offered an anti-virus as a service in Russia. The company also offers proven anti-virus and anti-spam solutions for businesses, government entities, and personal use. We have a solid record of detecting malicious programs, and we adhere to all international security standards. Doctor Web has received numerous certificates and awards; our satisfied customers spanning the globe are clear evidence of the complete trust customers have in our products.