This downloader Trojan attempts to use FTP.EXE to retrieve a binary from a hard-coded FTP server. The file was not available at the time of this writing.
FTP file download
The Trojan attempts to use FTP.EXE commonly found in Windows environments to retrieve binaries from the IP address 126.96.36.199. The Trojan first writes an FTP script to the undefinedWindowsundefined\Temp folder as "ABox.ftp", then initiates FTP.EXE with this script to download the files. The ftp script contains instructions to retrieve these three files -
The files are to be stored into the Windows folder. The files were unavailable at the time of this writing.
When the FTP client connects to the FTP server, the FTP dialogue has the following properties -
Connected to 188.8.131.52
220-Jgaa's Fan Club FTP service
WarFTPd 1.82.00-RC9 (Aug 21 2004) Ready
(C)opyright 1996 - 2004 by Jarle (jgaa) AAse - all rights reserved.
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option