Virus:TR/Drop.Agent.ahvf
Date discovered:25/02/2009
Type:Trojan
Subtype:Dropper
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:538.624 Bytes
MD5 checksum:b0bb51b66a38aa80dc26e514fab25feb
IVDF version:7.01.02.78 - Wednesday, February 25, 2009

 General Aliases:
   •  Mcafee: W32/Spybot.worm.gen virus
   •  Sophos: Mal/Generic-A
   •  Panda: W32/IRCBot.CKA.worm
   •  Eset: Win32/Boberog.K
   •  Bitdefender: Trojan.Generic.1448179


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\wmisys.exe



It overwrites the following files.
%WINDIR%\inf\1394.PNF
%WINDIR%\inf\1394vdbg.PNF



It deletes the initially executed copy of itself.



The following files are created:

– C:\netsf_m.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%WINDIR%\inf\netsf_m.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%WINDIR%\inf\netsf.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– C:\netsf.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\drivers\ndisvvan.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

– C:\msrwt.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.PEPM.Gen

– C:\Documents and Settings\LocalService\onk.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.PEPM.Gen

%SYSDIR%\drivers\sysdrv32.sys Further investigation pointed out that this file is malware, too. Detected as: TR/Hacktool.Tcpz.A




It tries to download a file:

– The location is the following:
   • http://195.149.74.40/css/**********
Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\WMISYS]
   • "Description"="Spools WMI applications."
   • "DisplayName"="WMI System App"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%SYSDIR%\wmisys.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110



The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Control]
   New value:
   • "WaitToKillServiceTimeout"="7000"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, November 16, 2009
Description updated by Andrei Ivanes on Monday, November 23, 2009

Back . . . .