English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Dldr.Agent.dne
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Dldr.Agent.dne - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Dldr.Agent.dne
Date discovered:
21/09/2007
Type:
Trojan
Subtype:
Downloader
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Medium
Static file:
Yes
File size:
7.168 Bytes
MD5 checksum:
119907ad8248b2e06461d782ea93c00B
IVDF version:
6.39.01.161
- Fri, 21 Sep 2007 10:13 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• F-Secure: Trojan-Downloader.Win32.Agent.dne
• Sophos: Troj/DwnLdr-GXX
• Grisoft: Downloader.Agent.STQ
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads files
• Registry modification
• Third party control
Registry
It registers a browser helper object (BHO) by adding the following keys:
– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}]
• @ = H
– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}\InprocServer32]
• @ =
%malware dll%
• ThreadingModel = Apartment
– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}\ProgID]
• @ = H.1
– [HKCR\CLSID\{3F6D54BB-34EE-4469-B094-86B09E53BCF8}\TypeLib]
• @ = {71FC19DC-CEEC-45dc-B303-A85633166864}"
Backdoor
Contact server:
All of the following:
• http://**********oso.com/newuser.php
• http://**********oso.com/comm.php
As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.
The servers answer is written to the file:
%SYSDIR%
\comm.xml
Sends information about:
• Current malware status
Remote control capabilities:
• Download file
• Execute file
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Andrei Gherman on Mon, 24 Sep 2007 10:11 (GMT+1)
Description updated by Andrei Gherman on Mon, 24 Sep 2007 10:32 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
W32/Elkern.C
Worm/Mytob.AD
Worm/Mytob.AT
Worm/Bagle.FJ
TR/Drop.MuJoin.AF
PHISH/CrediCard
TR/Autorun.afj
BDS/Agent.qfh.1
TR/Dldr.FraudLoa.NC
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Dldr.Agent.dne
Print this page
.gif)
