Virus:TR/Agent.31232
Date discovered:08/01/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:31.232 Bytes
MD5 checksum:ab0dc0fa9f939f8894a4bde2d4009029
IVDF version:7.00.01.204 - Tuesday, January 8, 2008

 General Aliases:
   •  Panda: W32/Agent.MPQ
   •  Eset: Win32/TrojanDownloader.FakeAlert.VY
   •  Bitdefender: Trojan.Generic.1318096


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\frmwrk32.exe



It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\uniq.tll



It tries to download some files:

– The location is the following:
   • http://lsp-test-nax.ind.in/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://lsp-test-nax.ind.in/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://pmsoftware.biz/cgi-bin/**********?code=0000015
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://lsp-test-nax.ind.in/**********?code=0000015
At the time of writing this file was not online for further investigation.

– The locations are the following:
   • http://searchinv**********/?dn=lsp-test-nax.ind.in&flrdr=yes&nxte=gif
   • http://searchrein**********/?dn=lsp-test-nax.ind.in&flrdr=yes&nxte=gif
At the time of writing this file was not online for further investigation.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Framework Windows"="frmwrk32.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
   ActiveDesktop]
   • "NoChangingWallpaper"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableTaskMgr"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "NoActiveDesktopChanges"=dword:0x00000001
   • "NoSetActiveDesktop"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop]
   • "NoChangingWallpaper"=dword:0x00000001



The following registry keys are changed:

– [HKCU\Software\Microsoft\Internet Explorer\Desktop\Components]
   New value:
   • "GeneralFlags"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoActiveDesktopChanges"=dword:0x00000001
   • "NoSetActiveDesktop"=dword:0x00000001

 Injection – It injects itself as a thread into a process.

    Process name:
   • explorer.exe


 Miscellaneous String:
Furthermore it contains the following strings:
   • Warning! Security report
   • Your computer is infected! It is recommended to start spyware cleaner tool.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, February 25, 2010
Description updated by Petre Galan on Friday, February 26, 2010

Back . . . .