Virus:TR/Agent.NL.21
Date discovered:11/09/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:82.944 Bytes
MD5 checksum:4e19ffc16eaca8513df29d1489e69396
VDF version:6.35.01.208
IVDF version:6.35.01.212 - Tuesday, September 12, 2006

 General Alias:
   •  Kaspersky: Trojan.Win32.Agent.nl


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Blocks access to security websites
   • Registry modification
   • Third party control

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Explorer 2238"=%malware execution directory%\%executed file%



The values of the following registry keys are removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCOM Server
–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCOM Server


The following registry keys are added:

– HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\
   InProcServer32
   • "(Default)""=%malware execution directory%\%executed file%
   • "ThreadingModel"="Apartment"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   SharedTaskScheduler
   • "{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad
   • "DCOM Server 2238"="{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • www.trendmicro.com; rads.mcafee.com; customer.symantec.com;
      liveupdate.symantec.com; us.mcafee.com; updates.symantec.com;
      www.nai.com; secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
      www.my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
      networkassociates.com; www.networkassociates.com; avp.com;
      www.kaspersky.com; www.avp.com; downloads4.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads1.kaspersky-labs.com; www.f-secure.com; viruslist.com;
      www.viruslist.com; liveupdate.symantecliveupdate.com; www.mcafee.com;
      sophos.com; www.sophos.com; securityresponse.symantec.com;
      www.symantec.com


 Backdoor The following port is opened:

%executed file% on a random TCP port


Contact server:
The following:
   • 208.66.195**********:2238



Remote control capabilities:
    • Disable DCOM
    • Download file
    • Send emails

 Miscellaneous Mutex:
It creates the following Mutexes:
   • hs5pdllv42238
   • hs5p_av_mutex

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Bogdan Iliuta on Monday, October 2, 2006
Description updated by Bogdan Iliuta on Friday, October 27, 2006

Back . . . .