Virus:TR/Drop.Agent.xgt
Date discovered:29/10/2008
Type:Trojan
Subtype:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:43.520 Bytes
MD5 checksum:89fafe16e1b02883ea9f070079f205de
VDF version:7.00.06.216
IVDF version:7.00.06.219 - Saturday, September 27, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Dropper.Win32.Agent.xgt
   •  F-Secure: Trojan-Dropper.Win32.Agent.xgt
   •  Panda: Trj/Downloader.MDW
   •  Eset: Win32/TrojanDownloader.Small.OCS
   •  Bitdefender: Trojan.Agent.AKHF


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\winhoo32.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Hijacker.Gen

%malware execution directory%\%executed file%.bat



It tries to executes the following files:

– Filename:
   • %SYSDIR%\cmd.exe
using the following command line arguments: /c start iexplore -embedding


– Filename:
   • %SYSDIR%\winver.exe

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\MSSMGR\] (Hidden)
– [HKLM\SOFTWARE\Microsoft\MSSMGR]
   • Data=dword:066a5927
   • LSTV=hex:d8,07,0b,00,01,00,18,00,0a,00,02,00,1e,00,7c,00
   • Brnd=dword:00000bba
   • MSLIST=hex:83,98,99,9e,d5,df,de,9d,91,91,87,97,82,9e,8a,9f,93,99,8f,d0,91,65,75,2d,6a,69,62,29,64,65,6d,24,7b,64,7d,0e,3f,10,21,12,23,14,7d,62,63,68,23,35,34,6c,72,6c,71,46,40,56,0d,4a,40,52,08,41,44,4d,04,4f,40,4a,01,40,59,42,33,04,35,06,37,08,39,52,4f,48,4d,04,10,6f,28,35,22,2a,31,35,22,29,3b,29,23,62,23,2b,3b,7f,38,3f,34,7b,36,3b,33,76,29,32,2b,5c,6d,5e,6f,60,51,62
   • PID=dword:00000003
   • Rid=dword:00000266

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   win%three-digit random character string%32]
   • Asynchronous=dword:00000001
   • DllName="winhoo32.dll"
   • Impersonate=dword:00000000
   • Startup="busStartup"
   • Shutdown="busShutdown"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Monday, November 24, 2008
Description updated by Monica Ghitun on Monday, November 24, 2008

Back . . . .