Actually, their primary distribution is via Windows file sharing (i.e. ports 135, 139, 445) via SDBot, Robobot, RBot, etc. variants. The primary reason they're called "Downloader" is because once on the system they unpack their payload, connect to an IRC server for remote control, and download additional payload (a recent favorite is spyware/adware...why just infect systems when you can make money!).
There are so many of these out there and so many new (but only changed in small ways, i.e. packed with a different crypter) variants daily that it's hard for me to even keep up with the ones I catch (13 honeypots on the Internet). It's crazy. sk3tch _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
