Win32/Fuclip

Aliases:	Trojan-Downloader.Win32.Agent.bet (Kaspersky), Trojan-Downloader.Win32.Small.dam (Kaspersky), Downloader-BAI.gen (McAfee)
Type of infiltration:	trojan
Size:	approximately 30 kB
Affected platforms:	Microsoft Windows
Signature database version:	1990
Short description:	Win32/Fuclip is a trojan distributed via e-mail.

Installation

The trojan is being spammed by e-mail. Several different variants of messages appeared. Subject of the message may be one of the following:

230 dead as storm batters Europe
British Muslims Genocide
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Hugo Chavez dead
Radical Muslim drinking enemies' blood
Sadam Hussein safe and sound!
Sadam Hussein alive!
Hugo Chavez dead.
Fidel Castro dead.

The attachment is an executable of the trojan. Its filename may be one of the following:

Full Clip.exe
Full Video.exe
Full Story.exe
Greeting Card.exe
Greeting Postcard.exe
Postcard.exe
Read More.exe
Video.exe

When executed, the trojan drops the following files in the %system% folder:

wincom32.sys
peers.ini

The trojan registers itself as a system service using the following name:

wincom32

Other information

The trojan can download and execute a file from the Internet. It can be controlled remotely.

The trojan might attempt to hide its presence in the system. It uses techniques common for rootkits.