Home / malware Trojan:Win32/DotTorrent
First posted on 28 April 2010.
Source: SecurityHomeAliases :
Trojan:Win32/DotTorrent is also known as Trojan.Fakealert.14886 (Dr.Web).
Explanation :
Trojan:Win32/DotTorrent is a family of trojans that displays misleading messages, warning the user that copyrighted content has been discovered on the affected computer. The malware does this in order to trick the user into paying a fee.
Top
Trojan:Win32/DotTorrent is a family of trojans that displays misleading messages, warning the user that copyrighted content has been discovered on the affected computer. The malware does this in order to trick the user into paying a fee. Installation As part of its installation routine, Trojan:Win32/DotTorrent creates the folder: %application data%\IQManager The malware then drops a number of files in %application data%\IQManager, including the executable "iqmanager.exe",which performs the trojan's main payload. Trojan:Win32/DotTorrent also creates the following registry entry so that "iqmanager.exe" is executed at each Windows start: Adds value: "iqmanager.exe" With data: "%application data%\IQManager\iqmanager.exe silent" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run The following entry is also modified by the trojan to replace explorer.exe under the default shell registry entry: Adds value: "Shell"
With data: "%application data%\IQManager\iqmanager.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon This prevents Explorer and the Windows Start menu from appearing on system startup, and displays the trojan's interface instead. It creates an uninstall entry for itself in the 'Uninstall or change a program' dialog, as well as a shortcut to iqmanager.exe on the desktop. %desktop%\I-Q Manager.lnk Payload Displays fake warnings Trojan:Win32/DotTorrent displays fake warnings to the user, claiming that copyrighted content has been detected on their computer. The trojan searches for .torrent files in all fixed drives on the system and lists these files in its interface, as shown below: The malware displays warning messages in the taskbar, and also when the user attempts to close its interface. Note: Trojan:Win32/DotTorrent will display these warnings regardless of whether any .torrent files are found on the system. If the user clicks on any of the hyperlinks on the interface, or the "Pass the case to court" button, they are directed seemingly legitimate websites that contain information that supports the trojan's claims. These websites are, however, not legitimate, rather they are elaborate hoax sites. If, however, the user clicks on the "Settle case in pre-trial order" button, the user is directed to a website that requests the user's credit card details. Modifies desktop background Trojan:Win32/DotTorrent may also replace the users desktop background with the image below: Additional Information Trojan:Win32/DotTorrent can display its interface text and warning message in any of the following languages, depending on the systems default locale.Czech Danish German Dutch Spanish French Portugese Slovak English
Analysis by Amir FoudaLast update 28 April 2010