Virus:TR/Dldr.Agent.gcx
Date discovered:24/10/2008
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Medium
Distribution Potential:High
Damage Potential:High
Static file:No
File size:~ 360.000 Bytes
IVDF version:7.00.07.81 - Friday, October 24, 2008

 General Method of propagation:
   • Local network


Aliases:
   •  Mcafee: Spy-Agent.da trojan
   •  Kaspersky: Trojan-Downloader.Win32.Agent.alce
   •  F-Secure: Trojan-Downloader.Win32.Agent.alce
   •  Sophos: Troj/Gimmiv-A
   •  Bitdefender: Win32.Worm.Gimmiv.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Steals information
   • Third party control

 Files The following files are created:

%SYSDIR%\wbem\sysmgr.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Agent.gcx

%TEMPDIR%\%eight-digit random character string%.bat This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\sysmgr\Parameters]
   • "ServiceDll"=%SYSDIR%\%malware dll%
   • "ServiceMain"="ServiceMainFunc"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   • "sysmgr"=%hex values%

 Backdoor Contact server:
One of the following:
   • 212.227.93.146
   • 64.233.189.147
   • 202.108.22.44

As a result it may send some information. Besides, it periodically repeats the connection. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Add or Remove Programs list
    • Computer name
    • Information about the network
    • Collected information described in stealing section
    • Username
    • Information about the Windows operating system

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • Outlook Express
   • MSN Messenger
   • Protected Storage

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Thomas Wegele on Friday, October 24, 2008
Description updated by Alexander Vukcevic on Friday, October 24, 2008

Back . . . .