Troj/Dloader-FR is a downloader Trojan.
Troj/Dloader-FR may not download files if it finds certain keywords in the Cookies, Favorites or History folders, or if it finds the following registry entries:
HKCU\Software\Agnitum\Outpost Firewall Pro
HKCU\Software\Symantec
Troj/Dloader-FR deletes entries at the following location in the registry relating to itself, stopping itself from running on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Troj/Dloader-FR attempts to download and execute DLL and EXE files from a remote location to the Windows folder and also to notify PHP websites that the download has taken place. The DLL files OPENWIN.DLL and MSMSGNC.DLL are downloaded and loaded using REGSVR32.EXE, and the EXE files MSMSGNCE.EXE and NVSVWC.EXE are downloaded and executed.
The file downloaded as NVSVWC.EXE is currently detected as Troj/TCXMedi-C, the file downloaded as MSMSGNCE.EXE is currently detected as Troj/TCXMedi-D, the file downloaded as MSMGNC.DLL is currently detected as Troj/TCXMedi-F and the file downloaded as OPENWIN.DLL is currently detected as Troj/StartPa-EI.
Troj/Dloader-FR has been seen downloading from and notifying the websites with the following references:
195.225.177.14 and 195.225.176.3.
Troj/Dloader-FR moves itself to a file in the same folder as it is run and with the same filename but with appended by ".1". Troj/Dloader-FR then attempts to delete this file.