Virus:TR/Dldr.Agent.beti.3
Date discovered:29/05/2009
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium to high
Static file:Yes
File size:9.792 Bytes
MD5 checksum:c4c973cfdd2ffdcb847e07df55fdec43
IVDF version:7.01.04.35 - Friday, May 29, 2009

 General    •  Mcafee: Dropper.ek
   •  Sophos: Mal/Mdrop-L
   •  Panda: Trj/Downloader.VYP
   •  Grisoft: Downloader.Agent.AULX
   •  Eset: Win32/TrojanDownloader.Small.OOV


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Downloads malicious files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %TEMPDIR%\%random character string%



It deletes the initially executed copy of itself.

%TEMPDIR%\1.txt (0 bytes)
%TEMPDIR%\nckdta.sys (1344 bytes) Further investigation pointed out that this file is malware, too.



It tries to download some files:

– The locations are the following:
   • http://files850362.net/b2b/**********
   • http://files850362.net/b2b/load/**********
   • http://files850362.net/b2b/load/**********
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\nckdta]
   • "Type"=dword:00000001
      "Start"=dword:00000003
      "ErrorControl"=dword:00000000
      "ImagePath"= "\??\%TEMPDIR%\nckdta.sys"
      "DisplayName"="nckdta nckdta"



The following registry key including all values and subkeys is removed:
   • [HKLM\SYSTEM\CurrentControlSet\Services\nckdta]



The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Services\nckdta]
   • "nckdta"=%number%

 File details Programming language:
 The malware program was written in Assembler.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Tuesday, July 7, 2009
Description updated by Petre Galan on Monday, August 17, 2009

Back . . . .