Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Downloader.Wren

Win32/Downloader.Wren is a family of Trojan horse programs that try to download and install other files from the internet without the user's consent or knowledge. This family of Trojans is not runtime compressed.


Installation and Autostart Techniques

Upon execution, the Trojan copies itself to the temp folder (%TEMP% environment path) using the Trojan's original file name. The following progress bar is displayed during the download process:

The Trojan tries to download executable setup files and then adds the following registry key to ensure its automatic startup unless the downloader has succeeded:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Stop-Sign_Install_Recovery" = "%TEMP%\<Trojan Executable Name> -k"

Note: The Trojan always executes the original file on the first startup which means the Trojan file in the temp folder is only active after the next reboot. If the download dialog is closed during download the Trojan removes this autostart key. It also removes the autostart key after a successful download of the software setup-package and deletes itself from the %TEMP% folder.

Known filenames of the downloader are:

SS_STOPSIGN.EXE, SS_POPBLOCK.EXE, SS_TSCANNER.EXE, SS_SSCANNER.EXE and SS_SPAMBLOCK.EXE.

The Trojan can have any other executable name.

History: Analysis and Write-up by: Michael St. Neitzel