ThreatExpert Report: Trojan-Downloader.Win32.Agent.abnd, TROJ

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 21 October 2009, 11:35:34
Processing time: 6 min 0 sec
Submitted sample:

File MD5: 0x6EC4A7A1F3FE47C9AFC663127AEC9A68
File SHA-1: 0xD9C9A4D16220CB325C3B97B3535221CF7DAF0132
Filesize: 34,816 bytes
Alias:

Trojan-Downloader.Win32.Agent.abnd [Kaspersky Lab]
TROJ_AGENT.ANMO [Trend Micro]
Troj/Dloadr-BSP [Sophos]
Trojan-Dropper.Agent [Ikarus]
Win-Trojan/Agent.34816.JE [AhnLab]

Summary of the findings:

What's been found	Severity Level
Registers a Winlogon notification package so that the installed module is loaded into the address space of winlogon.exe.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-Downloader.Agent!ct	Trojan-Downloader.Agent!ct attempts to download malicious files to the local computer and execute them
Adware.Agent!sd6	Adware.Agent!sd6 is a potentially unwanted adware program that could be used to display various pop-up advertisements.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\_A00F1C01E.exe %Temp%\_A00F3593D.exe [file and pathname of the sample #1]	34,816 bytes	MD5: 0x6EC4A7A1F3FE47C9AFC663127AEC9A68 SHA-1: 0xD9C9A4D16220CB325C3B97B3535221CF7DAF0132	Trojan-Downloader.Win32.Agent.abnd [Kaspersky Lab] TROJ_AGENT.ANMO [Trend Micro] Troj/Dloadr-BSP [Sophos] Trojan-Dropper.Agent [Ikarus] Win-Trojan/Agent.34816.JE [AhnLab]
2	%System%\__c0018A40.dat %System%\__c00AD8FC.dat	25,088 bytes	MD5: 0x69FEB378121DB99F80E15D597EC60124 SHA-1: 0x2A0549B4536CC4CDB3E72384C5DEB92759050B55	not-a-virus:AdWare.Win32.Agent.ekj [Kaspersky Lab] TROJ_TIBS.CKN [Trend Micro] not-a-virus:AdWare.Win32.Agent [Ikarus] Win-Trojan/Agent.25088.HO [AhnLab]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
__c0018A40.dat	%System%\__c0018A40.dat	Process name: services.exe Process filename: %System%\services.exe Address space: 0x10000000 - 0x1000A96E
__c00AD8FC.dat	%System%\__c00AD8FC.dat	Process name: services.exe Process filename: %System%\services.exe Address space: 0x7F0000 - 0x7FA96E
__c0018A40.dat	%System%\__c0018A40.dat	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0xF90000 - 0xF9A96E
__c0018A40.dat	%System%\__c0018A40.dat	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0x10000000 - 0x1000A96E
__c0018A40.dat	%System%\__c0018A40.dat	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x10000000 - 0x1000A96E
__c0018A40.dat	%System%\__c0018A40.dat	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x14E0000 - 0x14EA96E
__c0018A40.dat	%System%\__c0018A40.dat	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x19A0000 - 0x19AA96E

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0018A40

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0018A40]

Asynchronous = 0x00000001
DllName = "%System%\__c0018A40.dat"
Impersonate = 0x00000000
Startup = "B"
Logon = "B"

so that __c0018A40.dat is installed as a Winlogon notification package

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

A00F1C01E.exe = "%Temp%\_A00F1C01E.exe"
A00F3593D.exe = "%Temp%\_A00F3593D.exe"

so that _A00F1C01E.exe runs every time Windows starts

so that _A00F3593D.exe runs every time Windows starts

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.