English
Deutsch
Español
Italian
Home
Virus Info
TR/Agent.249856.B
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Agent.249856.B - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Agent.249856.B
Date discovered:
26/03/2008
Type:
Trojan
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
No
File size:
~200.000 Bytes
VDF version:
7.00.03.69
IVDF version:
7.00.03.74
- Wed, 26 Mar 2008 07:50 (GMT+1)
General
Method of propagation:
• Email
Aliases:
• Kaspersky: Trojan.Win32.Agent.gjp
• F-Secure: Trojan.Win32.Agent.gjp
• Bitdefender: Backdoor.Oderoor.BM
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Uses its own Email engine
• Registry modification
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\
%random character string%
.exe
Registry
One of the following values is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
•
%random character string%
="
%SYSDIR%
\
%random character string%
.exe"
The following registry keys are added in order to load the service after reboot:
– [HKLM\SYSTEM\CurrentControlSet\Services\
%random character string%
]
• "Type"=dword:00000010
• "Start"=dword:00000002
• "ErrorControl"=dword:00000000
• "ImagePath"="
%SYSDIR%
\
%random character string%
.exe /service"
• "DisplayName"="Print Spooler Service"
• "ObjectName"="LocalSystem"
The following registry key is added:
– [HKLM\SYSTEM\CurrentControlSet\Services\
%random character string%
\Security]
• "Security"=
%hex values%
Email
It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From:
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.
To:
– Gathered addresses from the internet.
Backdoor
The following port is opened:
–
%random character string%
.exe on TCP port 49500
Contact server:
The following:
• **********:447
Injection
– It injects itself as a remote thread into a process.
Process name:
• winlogon.exe
Miscellaneous
Mutex:
It creates the following Mutex:
• 2819717815
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Ernest Szocs on Tue, 01 Apr 2008 10:56 (GMT+1)
Description updated by Ernest Szocs on Tue, 01 Apr 2008 12:22 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/KillAV.GR
Worm/Mytob.AP
Worm/Mytob.AT
TR/Crypt.PEPM.Gen
TR/Vundo.ewz.9
TR/Monderb.318720
Worm/IrcBot.39673.1
TR/PSW.Steam.DU
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Agent.249856.B
Print this page
.gif)
