Downloader.Almanahe is a computer Trojan that has a sole purpose of downloading other threat that belongs to W32.Almanahe group. After it successfully download the most recent version of the Trojan, it will initiate its own removal and delete itself from the affected computer. This Trojan possesses a rootkit technology that able to conceal itself from antivirus and other security software.
Alias: Trojan-Downloader.Small!sd5, Trojan-Downloader.Win32.Small.gkm, W32/Almanahe, TROJ_SMALL.DXW, W32/Almanahe!dldr
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
When executed, Downloader.Almanahe will drop its rootkit component on the following location:
With rootkit running on the compromised computer, even antivirus program will hardly identify the presence of the Trojan. Rootkits can conceal the Trojan by injecting its code to legitimate Windows processes it may found running on the system.
Next, it loads the component by adding an entry on Windows registry. This step allows the Trojan to run automatically on Windows start-up. It also sets the default browser that user may initiate when browsing the Internet. Again, it accomplishes this task through registry modifications.
The malware then injects malicious code on Internet Explorer so that it can process other payload of this Trojan and one of which is to download additional threats from a remote server.
Lastly, Downloader.Almanahe will connect to a remote computer to download another variant. Once it confirms that the download is successful, it will now execute a dropped batch file in order to delete itself from the system.
Downloader.Almanahe may get inside the computer when users unintentionally visited malicious web sites through a series of browser redirect or spam method commonly accomplished by spam email messages. The Trojan can easily evade virus scanners because of its sophisticated rootkit technology.