TrojanDownloader:Win32/Tonick.gen!B may download files from a predefined remote site.
This trojan may be promoted on a malicious site as a codec. When executed, this trojan may inject code into the running process 'svchost.exe'. The trojan may drop a Batch script utility file used to remove files downloaded by the trojan. The Batch script file may have a random file name as in the following example:
Downloads Arbitrary Files
Win32/Tonick.gen!B may attempt to download arbitrary files from a predefined remote site. In the wild, we observed this trojan downloading files from the 'members.chello.pl' domain. The files are saved locally with the following names:
Win32/Tonick.gen!B may then execute 'c:\<random numbers>.bat' which removes the following files:
The trojan may make the following modifications to the registry:
Adds value: "z"
With data: "z"
To subkey: HKCU\Software\VB and VBA Program Settings\uz\z
Adds value: "x"
With data: "6/30/2008"
To subkey: HKCU\Software\VB and VBA Program Settings\dt2\x
Analysis by Tim Liu