Virus

Download/KASEcard

Analysis

The Downloader is installed to a computer who starts to accept the Active X Certificate issued by the web site http://stop-card.com. This certificate is a spoofed issued by "KAS NET." Upon accepting, the program installs the "Flashplayer E-Card" to the infected system.
Then the program download additional files, which are detected as follows:
C:\Winnt\install.exe => "Download/KASECard"
C:\Winnt\svchst.exe => "W32/Small.GA-tr
The Trojan may also attempt to download the Bizex worm as these file names -
C:\Winnt\System32\_kwui.dll => "W32/Bizex-tr"
C:\Winnt\System32\_kwuiex.dll => "W32/Bizex-tr"
C:\Winnt\System32\zztp\svchost.exe => "W32/Bizex-tr"

ID	321820
Released	Mar 17, 2005
Description Updated	Mar 21, 2005
Aliases	Downloader-WG [McAfee], MultiDropper-IY [McAfee], Trojan-Dropper.Win32.Microjoin.gen [KAV], W32/Small.GA-tr

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Virus

Download/KASEcard

Analysis

Telemetry

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

Virus

Download/KASEcard

Analysis

Telemetry

Threat Intelligence
Center