2009-02-17 Lando virus(latest virus)

Lando virus

Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/17/2009
Date Added: 2/17/2009
Origin: N/A
Length: 16,896 bytes
Type: Trojan
Subtype: Downloader Generic
DAT Required: 5529

Description
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Methods of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system.
Many of these are mass spammed by the author to entice people into double-clicking on them. Alternately they may be installed by visiting a malicious

Virus Characteristics
This Trojan injects threads into Internet Explorer. The injected threads create outbound TCP connections to the following IPs to download a file:
78.110.175.15
66.116.131.209
76.163.147.77
76.163.124.43
76.162.92.47
76.163.202.9
64.17.143.140
71.18.215.20
81.18.249.216
76.163.46.215
94.247.2.58
195.24.76.250
The threads repeatedly try to connect to these IPs using hunderds of increasing port numbers, hoping to bypass firewall rules that allow outbound connections for valid services.
At the time of this testing, the file requested was not being served by the above IPs.

All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).