Full description

Virus:	TR/Agent.tcn
Date discovered:	06/06/2009
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low
Static file:	No
VDF version:	7.01.04.64

General    • No own spreading routine
   • Kaspersky: Backdoor.Win32.Agent.ahrt
   • F-Secure: Backdoor.Win32.Agent.ahrt
   • Sophos: Mal/Generic-A
   • Bitdefender: Trojan.VB.NZF
   • Steals information

Files It copies itself to the following locations:
   • %WINDIR%\systemserv32.exe
   • C:\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\appleJuice\incoming\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Bearshare\Shared\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\eDonkey2000\Incoming\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\emule\incoming\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Gnucleus\Downloads\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Grokster\My Grokster\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Kazaa Lite K++\My Shared Folder\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Kazaa Lite\My Shared Folder\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Kazaa\My Shared Folder\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\KMD\My Shared Folder\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\limewire\Shared\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Morpheus\My Shared Folder\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Overnet\incoming\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Rapigator\Share\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Shareaza\Downloads\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Swaptor\Download\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\Tesla\Files\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\WinMX\My Shared Folder\multi_keygen_for_532_games.exe
   • %PROGRAM FILES%\XoloX\Downloads\multi_keygen_for_532_games.exe

– A file that contains collected email addresses:
   • %WINDIR%\wkernel32.sys

Registry The following registry key is added in order to run the process after reboot:

– SystemService32
• %WINDIR%\systemserv32.exe

Backdoor Contact server:
The following:
   • http://blog.infolinux.ro/****************

This is done via the HTTP GET request on a PHP script.

Sends information about:
    • Collected Email addresses
    • Computer name

Stealing It tries to steal the following information:

– The following CD key:
   • Steam

– Passwords from the following programs:
   • Firefox
   • Steam

– It uses a network sniffer that checks for the following strings:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :&login; :*login; :-login; :+login; :/login; :\login; :=login;
      :?login; :'login; :`login; :~login; : login; :.auth; :,auth; :!auth;
      :@auth; :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth;
      :/auth; :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth;
      :.hashin; :!hashin; :$hashin; :%hashin; :.secure; :!secure; :.syn

File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Serban Ghiuta on Tuesday, July 28, 2009
Description updated by Serban Ghiuta on Wednesday, July 29, 2009

Back . . . .