sncntr.exe

Also known as Downloader-DC trojan, Troj/Dluca-I, sncntr.downloader

Troj/Dluca-I is a downloader Trojan which downloads executables from remote servers and installs/runs them.

This purpose of this trojan is simply to download a file from the Internet and execute it. It does not self-replicate. Downloader trojans are frequently sent in spammed emails designed to entice the recipient into running the file. Other likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings, etc. Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

When first run Troj/Dluca-I copies itself to the Windows system folder as sncntr.exe and creates the following registry entry, so that sncntr.exe is run automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sncntr = %SYSTEM%\sncntr.exe /nocomm

The following Registry key is added to hook system startup:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  "dluca" = "%SysDir% \msinstall\dlu32\dluca\dluca.exe /noconnect"

It also creates the following registry entries:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run\
  sncntr = %SYSTEM%\sncntr.exe /nocomm
• HKEY_CLASSES_ROOT\WINK File\shell\open\command
  "(Default)" = %SysDir%\msinstall\dlu32\dluca\dluca.exe %1
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
  CurrentVersion\Uninstall\dluca "DisplayName" = dluca
• HKEY_LOCAL_MACHINE\Software\sncntr\
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\sncntr\

Troj/Dluca-I can be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start - Settings - Control Panel - Add/Remove Programs by selecting "sncntr" from the list.