Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Agent.196096
Date discovered:20/01/2010
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:196.096 Bytes
MD5 checksum:e6491116dd485687b7a58dcc7642b13b
VDF version:7.10.01.44
IVDF version:7.10.03.30 - Wednesday, January 20, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Gammima.AG
   •  Kaspersky: Trojan-GameThief.Win32.Magania.eagi
   •  TrendMicro: TROJ_GAMETHI.GYL
   •  Sophos: Troj/Agent-POC
   •  Microsoft: Worm:Win32/Taterf.B


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Registry modification
   • Makes use of software vulnerability

 Files It copies itself to the following location:
   • %SYSDIR%\anhzxc.exe



It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\anszxc10.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\anszxc20.dll Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "anhxox"="%SYSDIR%\anhzxc.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\
   VersionIndependentProgID]
   • @="IEHlprObj.IEHlprObj"

– [HKLM\SOFTWARE\Classes\CLSID\{C8414FA0-BA90-4600-B7EA-0CEFAF5A0636}\
   InprocServer32]
   • @="%SYSDIR%\anszxc20.dll"

– [HKLM\SOFTWARE\Classes\Interface\
   {C8414F9F-BA90-4600-B7EA-0CEFAF5A0636}\TypeLib]
   • @="{C8414F92-BA90-4600-B7EA-0CEFAF5A0636}"

– [HKLM\SOFTWARE\Classes\TypeLib\
   {C8414F92-BA90-4600-B7EA-0CEFAF5A0636}\1.0\0\win32]
   • @="%SYSDIR%\anszxc20.dll"

 Process termination List of processes that are terminated:
   • ASHDISP.EXE; avast.setup; setup.ovr; EKRN.EXE; updater.dll;
      eguiEpfw.dll; eguiEmon.dll; ekrnEpfw.dll; ekrnEmon.dll; AVP.EXE;
      prupdate.ppl; AYAGENT.AYE; AYUpdate.aye; UFSEAGNT.EXE; SfFnUp.exe;
      UfUpdUi.exe; AVGNT.EXE; preupd.exe; update.exe; VSTSKMGR.EXE;
      vsupdate.dll; mcupdate.exe; AVGRSX.EXE; avgupd.exe; avgupd.exe


 Injection – It injects itself into a process.

    Process name:
   • explorer.exe


 Miscellaneous Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Andrei Ilie on Friday, April 8, 2011
Description updated by Andrei Ilie on Thursday, April 14, 2011

Back . . . .