Aliases: Troj/Manifest-A, Trojan.Win32.ManifestDestiny.a, Trojan.Manifest, TROJ_MANIFEST.A, Win32/ManDest.A
Variants: W32.Manifest.Trojan, ManifestDest, W32/Trojan!d3c0, W32/Trojan!61a7, Win32:Trojan-gen

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: Europe, North and South America
Removal: Easy
Platform: W32
Discovered: 26 Nov 2002
Damage: Low

Characteristics: Consistent with the characteristics of Trojan Horse malwares, the W32.Manifest.Trojan misrepresents itself as a type of video codec which is circulated among Peer to Peer file sharing networks. This particular threat is designed to install a File Transfer Protocol engine in the infected computer system. To support the file transfer functionality the Trojan Horse will also create a monitoring application as well as a mail server in the compromised machine.

More details about W32.Manifest.Trojan

A successful execution of the W32.Manifest.Trojan into the compromised computer system will allow the dropping of numerous file components. These files components will be placed in the Service subfolder under the directory where installed application components are located. The W32.Manifest.Trojan will normally make use of bitmap, system, initialization, and executable file types for its components. In some instances, the files extracted are versions of publicly or commercially available applications and so they are not detected as viral by security programs. Majority of the filenames used appear to reference communication programs or providers. After it has finished installation of these components the W32.Manifest.Trojan will resume by extracting at least three Dynamic Link Library files in the same directory folder as the operating system files.

What the W32.Manifest.Trojan does is that it takes components from various public or commercial program and incorporates them into its own. Various computer security experts have observed that the Internet monitoring module, File Transfer Protocol engine, and Simple Mail Transfer Protocol engine used by the W32.Manifest.Trojan comes from different applications. Even the Dynamic Link Library files are versions found in distributable compression utilities. The W32.Manifest.Trojan will modify the contents of the Windows Registry by adding key values that will point to the location of its main executable file. It will send system and user information to a predetermined website.