Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Agent.agla
Date discovered:26/02/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:High
Static file:Yes
File size:172.207 Bytes
MD5 checksum:d6614007059d24844269db6ef460e4d9
IVDF version:7.01.01.239 - Friday, February 6, 2009

 General Aliases:
   •  Symantec: W32.SillyFDC
   •  Sophos: Mal/Generic-A
   •  Panda: W32/Lineage.KYR
   •  Eset: Win32/PSW.OnLineGames.NNU


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\kva8wr.exe
   • %drive%\jbele1.com



It renames the following files:

      %malware execution directory% into c:\%existing file or directory%.vcd



It deletes the initially executed copy of itself.



It deletes the following file:
   • %SYSDIR%\drivers\cdaudio.sys



It may corrupt the following file:
   • %SYSDIR%\drivers\cdaudio.sys



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.4160

%SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo

%SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen

%drive%\lot.exe
%SYSDIR%\ahnfgss0.dll
%SYSDIR%\ahnsbsb.exe
%SYSDIR%\ahnxsds0.dll



It tries to download some files:

The location is the following:
   • http://hjkio.com/xhg2/**********


The location is the following:
   • http://kioytrfd.com/xhg2/**********

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "kvasoft"="%SYSDIR%\kva8wr.exe"



The following registry keys are added in order to load the service after reboot:

[HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
   • "Type"=dword:00000001
      "Start"=dword:00000001
      "ErrorControl"=dword:00000001
      "ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
      "DisplayName"="KAVsys"



The following registry keys are changed:

Various Explorer settings:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoDriveTypeAutoRun"=dword:00000091

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • "CheckedValue"=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "ShowSuperHidden"=dword:00000001
     "Hidden"=dword:00000002

 Injection –  It injects the following file into a process: %SYSDIR%\uweyiwe0.dll


 It injects a process watching routine into a process.

    Process name:
   • explorer.exe


 Rootkit Technology Hides the following:
– Its own process


Method used:
     Hidden from Master File Table (MFT)
     Hidden from Windows API
     Hidden from Interrupt Descriptor Table (IDT)

Description inserted by Petre Galan on Monday, July 6, 2009
Description updated by Petre Galan on Tuesday, August 18, 2009

Back . . . .