Effects 

Downloader.WCF connects to the website http://www.anella20<blocked>emporario.com in order to download malicious files to the system.

Infection strategy 

Downloader.WCF creates the following files:

• DYNAMIC.DLL, in the Windows directory.
• FOTOS.EXE, in the Windows system directory.
• FOTO[1].DLL and MICHAEL[1].GIF, in the temporary Internet files directory.

Downloader.WCF creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

Means of transmission 

Downloader.WCF reaches the computer in an email message which includes a link to a YouTube video about Michael Jackson's death.

If users follow this link, a file that passes itself off as a video is downloaded. This file has the following appearance:

When this file is run, Downloader.WCF will be actually downloaded to the affected computer. In order to divert users' attention, they are redirected to a legitimate website that displays some news about Michael Jackson's death, as can be seen in the following image:

However, Downloader.WCF does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Downloader.WCF is written in the programming language Visual Basic v6.0. This Trojan is 28,672 bytes in size.