Troj/Dloader-MK is a downloader Trojan on the Windows platform.
Once installed, the Trojan displays a fake message box with the caption 'Windows Security Center' and the text 'WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.'
If the user clicks on the Yes button, Troj/Dloader-MK opens up Internet Explorer to point to a remote search engine website. If the user clicks on the No button, the message box closes.
With either option chosen, the Trojan subsequently installs a shell tray icon which gives a balloon tip with the following message:
'Your computer might be at risk
- Your virus protection status is bad
- Spyware Activity Detected.
Click this balloon to fix this problem'
Once the balloon is clicked, Troj/Dloader-MK spawns an Internet Explorer process which attempts to connect to a remote website and download a Microsoft Windows Html Help Data file (CHM).
The Trojan also attempts to download files from other remote websites silently and run them.
Troj/Dloader-MK is a downloader Trojan on the Windows platform.
When run the Trojan creates the following registry entry so as to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<Trojan filename>
<path to Trojan>
Troj/Dloader-MK also creates the following registry entries:
HKCR\CLSID\(random Class ID)\Data
DataD
<sequence of hexadecimal bytes>
HKCR\CLSID\(random Class ID)\Data
(default)
<sequence of hexadecimal bytes>
HKCR\CLSID\(random Class ID)\Data
DataE
<random number>
HKCR\CLSID\(random Class ID)\Data
DataB
<random number>
HKCR\CLSID\(random Class ID)\LocalServer
(default)
<path to Trojan>
Once installed, the Trojan displays a fake message box with the caption 'Windows Security Center' and the text 'WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.'
If the user clicks on the Yes button, Troj/Dloader-MK opens up Internet Explorer to point to a remote search engine website. If the user clicks on the No button, the message box closes.
With either option chosen, the Trojan subsequently installs a shell tray icon which gives a balloon tip with the following message:
'Your computer might be at risk
- Your virus protection status is bad
- Spyware Activity Detected.
Click this balloon to fix this problem'
Once the balloon is clicked, Troj/Dloader-MK spawns an Internet Explorer process which attempts to connect to a remote website and download a Microsoft Windows Html Help Data file (CHM).
The Trojan also attempts to download files from other remote websites silently and run them.