Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Agent.smtu
Date discovered:17/06/2012
Type:Trojan
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low
File size:119300 Bytes
MD5 checksum:78e8587f0270974b212fc0a1a477214f
VDF version:7.11.33.56 - Sunday, June 17, 2012
IVDF version:7.11.33.56 - Sunday, June 17, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Generic.evx!ca
   •  Kaspersky: Trojan.Win32.Agent.smtu
   •  Bitdefender: Trojan.Generic.KDV.653308
   •  Grisoft: Agent3.BRKR
   •  Eset: Win32/Diazom.NAC trojan
   •  GData: Trojan.Generic.KDV.653308
   •  DrWeb: Trojan.Spambot.11460
   •  Norman: Trojan W32/Suspicious_Gen4.AKCPQ


Platforms / OS:
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Start Menu\Programs\Startup\uvogb.exe
   • %appdata%\wiyone.exe

 Registry The following registry keys are added:

– [HKCU\Software\AppDataLow\nkfjqipxejsooboxdlm]
   • "{C5840F71-67D1-4b13-AF88-513BC2C43FB9}"="dword:0x00000074"

– [HKCU\Software\AppDataLow\nkfjqipxejsooboxdlm\
   {E525B997-4A1A-425a-84B7-5D98AF7F902A}]
   • "moolkxgm"="c:\sample.exe"



The following registry keys are changed:

Internet Explorer's start page:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Start Page"="about:blank"
   New value:
   • "Start Page"="http://domredi.com/1/"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   Old value:
   • "ctfmon.exe"="c:\windows\\system32\\ctfmon.exe"
   New value:
   • "xtnxguj"="%appdata%\wiyone.exe"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • pralala.com
   • liltinti.com
   • arm.in
   • yvy.me
   • digg.com
   • yourls.org
   • beam.to
   • cli.gs
   • fff.to
   • unshorten.com
   • tinylink.ir
   • tinylink.me
   • burnurl.com
   • tintiurl.com
   • ahref.in
   • clockurl.com
   • goo.gl
   • bacn.me
   • ity.im
   • chilp.it
   • dboost.de
   • d0g.me
   • b4it.net

Description inserted by Wensin Lee on Tuesday, June 19, 2012
Description updated by Wensin Lee on Tuesday, June 19, 2012

Back . . . .