Home Malware Programs Spyware Win32/Heur.dropper


Posted: July 4, 2011

Win32/Heur.dropper is a generic detection for Trojans that install other harmful applications onto your PC. Dropper Trojans like Win32/Heur.dropper may install spyware such as keyloggers, rogue security programs, worms that can reproduce via networks or even other Trojans. In some instances, Win32/Heur.dropper may also be a false positive instead of a real infection. Use appropriate security software to determine whether or not Win32/Heur.dropper is a real threat before removing Win32/Heur.dropper from your PC.

The Fake Win32/Heur.dropper You Can Relax Over

Win32/Heur.dropper has recently been reported in the form of a common false positive from AVG anti-virus software. Some confirmed Win32/Heur.dropper false positives include the executables for the Dead Space and Crysis 2 PC games, although many more may exist. To identify a possible fake Win32/Heur.dropper infection, do the following:

  • Use an alternative anti-virus program to scan your PC. If multiple brands of security scanners can't find a Win32/Heur.dropper threat, chances are high that the Win32/Heur.dropper detection is a false positive.
  • Check to see if the Win32/Heur.dropper infection reappears after being removed. Threats that reappear in the same location and use the same file names may be false positives. A threat that reappears in a different location or with a different name usually is the real thing.
  • In many cases, a Win32/Heur.dropper false positive will fail to be removed after your security software has detected Win32/Heur.dropper. However, this can also be a function of some real Trojan threats and shouldn't be considered to be a sole indicator.
  • Lastly, note the location of the theoretical Win32/Heur.dropper infection. Game application executable files and other complex programs are relatively likely to trigger false positive Win32/Heur.dropper alerts. Real Win32/Heur.dropper threats are more likely to hide small, randomly-named or system component-named files in your Windows directory or other critical locations.

False positive Win32/Heur.dropper warnings can be ignored without harming your PC. Add the false positive Win32/Heur.dropper as an exception and keep your anti-virus software updated to minimize these false alerts.

The Real Win32/Heur.dropper You Should Be Ready For

Although fake Win32/Heur.dropper alerts abound, there are real Win32/Heur.dropper infections that you should also keep in mind. Since Win32/Heur.dropper is a heuristic or behavior-based detection, any one Win32/Heur.dropper infection can display broad differences in attributes.

However, all real Win32/Heur.dropper attackers are Trojans that focus on installing other harmful programs onto your PC. Most dropper Trojans like Win32/Heur.dropper will also use various methods to hide this download and installation activity from you; Win32/Heur.dropper files may use the names of Windows programs or conceal themselves via rootkit techniques. Some of the major possibilities that Win32/Heur.dropper may install are:

  • Spyware programs such as keyloggers. Keyloggers are capable of recording keyboard input and then sending that information to remote criminals to scavenge passwords and other personal data. More advanced types of spyware can also take screenshots, steal social contacts and cached login information or even monitor your webcam.
  • Rogue security applications. These include fake defraggers, fake anti-virus scanners and other types of fraudulent security software that imitate security functions in a superficial fashion. Most rogue programs will try to steal your money or your credit card information and can disable programs to make you want to purchase them.
  • Remote Administration Tools or RATs. Win32/Heur.dropper-installed RATs let criminals control every action your PC takes. Although RATs that are installed by Trojans like Win32/Heur.dropper are best known for assisting in DDoS crimes, they can also be employed for several other harmful activities.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Temp%\mswinsck.exe
    2 %Temp%\random.dmp
    3 %Temp%\random.exe
    4 %UserProfile%\Application Data\defender.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Malware DefenseHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 'DisableTaskMgr' = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 'Protection Center'HKEY_CURRENT_USER\Software\Paladin AntivirusHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall?1KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 'tmp'HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}