English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/Agent.ies
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/Agent.ies - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Agent.ies
Date discovered:
24/12/2008
Type:
Trojan
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low
Static file:
No
File size:
~1.390.000 Bytes
VDF version:
7.01.01.28
- Wed, 24 Dec 2008 08:16 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Kaspersky: Worm.Win32.AutoRun.arif
• F-Secure: Worm.Win32.AutoRun.arif
• Eset: Win32/FlyStudio.NET
Platforms / OS:
• Windows 2000
• Windows XP
Side effects:
• Registry modification
Files
It copies itself to the following locations:
• %systemdir%\XP-290F2C69.EXE
• %systemdir%\XP-%8 random hexa digits%.exe
The following files are created:
– Non malicious file:
• C:\Documents and Settings\%user%\Start Menu\Programs\Startup\ˇˇˇˇˇˇ
(short-cut to XP-290F2C69.EXE)
– Temporary files that might be deleted afterwards:
• %systemdir%\com.run
• %systemdir%\dp1.fne
• %systemdir%\eAPI.fne
• %systemdir%\internet.fne
• %systemdir%\krnln.fnr
• %systemdir%\RegEx.fnr
• %systemdir%\shell.fne
• %systemdir%\spec.fne
• %systemdir%\og.EDT
• %systemdir%\og.dll
• %systemdir%\ul.dll
• %tempdir%\E_4\com.run
• %tempdir%\E_4\dp1.fne
• %tempdir%\E_4\eAPI.fne
• %tempdir%\E_4\internet.fne
• %tempdir%\E_4\krnln.fnr
• %tempdir%\E_4\RegEx.fnr
• %tempdir%\E_4\shell.fne
• %tempdir%\E_4\spec.fne
It tries to executes the following file:
– Filename:
• %systemdir%\XP-%8 random hexa digits%.exe
Furthermore it contains malicious code. Detected as: TR/Agent.ies
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "XP-290F2C69"="
%SYSDIR%
\XP-290F2C69.EXE"
Backdoor
Contact server:
The following:
• http://www.hidatabase.cn/**.***
File details
Programming language:
The malware program was written in MS Visual C++.
See a brief description
here
.
Description inserted by Mihai Dilimot on Wed, 29 Jul 2009 12:30 (GMT+1)
Description updated by Mihai Dilimot on Wed, 29 Jul 2009 13:34 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info TR/Agent.ies
Print this page
.gif)
