Follow:

 

Trojan:BAT/Downsys.A


Trojan:BAT/Downsys.A is a trojan that is dropped by Trojan:Win32/Downsys.A. It usually arrives with the file name "a<5 random digits>.bat". It facilitates the execution of other malware.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Trojan:BAT/Downsys.A is a trojan that is dropped by Trojan:Win32/Downsys.A. It usually arrives with the file name "a<5 random digits>.bat".
 
It copies the following files into the drives E:, F:, G:, and H:, if found:
  • autorun.inf - also dropped by Trojan:Win32/Downsys.A
  • nircmd.exe - legitimate tool, which may be dropped by other malware
 
Trojan:BAT/Downsys.A then attempts to modify the system registry to allow the file "winessentials.exe" to automatically run every time Windows starts. It does this by using the command-line tool "nircmd.exe" to add the following registry entry:
 
Adds value: "win32api"
With data: "<system folder>\winsystem\winessentials.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
The file "winessentials.exe" is detected as TrojanDropper:Win32/Agent. This file may drop a BAT file, also detected as Trojan:BAT/Downsys.A, in the Temporary Files folder. This version of Trojan:BAT/Downsys.A runs Trojan:Win32/Downsys.A and kills TrojanDropper:Win32/Agent.
 
Analysis by Andrei Florin Saygo

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed Antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.117.2303.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 29, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Agent.BAT.A (BitDefender)