CERT-In:Indian Computer Emergency Response Team

HOME > VIRUS ALERTS

VIRUS ALERTS

Trojan AGENT and variants

Original issue date: May 08, 2008

It has been observed that several variants of Trojan AGENT are spreading widely. Agent started spreading in Feb 2008.

Some of the variants of Trojan Agent are:

TROJ_AGENT.ANAF, TROJ_AGENT.XOO, TROJ_AGENT.AMAL(Aliases: Trojan.Dropper (Symantec), Troj/DwnLdr- HCM(Sophos),
TrojanDownloader:Win32 /DlRhifrem.gen!A (Microsoft)), TROJ_ AGEN T.LJY( Aliases: Trojan-Downloader.Win32.Agent.mki (Kaspersky), BackDoor-DNM (McAfee), Mal/EncPk-DA (Sophos), Trojan:Win32/Tibs.gen!G (Microsoft)), TROJ_ AGEN T.VLW(Aliases: Infostealer.Gampass (Symantec)), TROJ_ AGEN T. AZZ Z(Aliases:Backdoor.Win32.Hupigon.bnfb (Kaspersky),
Generic PWS.b (McAfee),Backdoor.Robofo.A (Symantec),
BDS /Hupigon.bnfb (Avira), Troj/Delf-FAE (Sophos), Backdoor:Win32/Allaple.D (Microsoft)), TROJ_ AGEN T.AAAS(Aliases: Trojan-Downloader.Win32.Agent.lyg (Kaspersky),
TR/Dldr.Agent.lyg.2 (Avira), Mal/Heuri-E (Sophos), TrojanDownloader:Win32/Selex.A (Microsoft)), TROJ_ AGEN T.ERP(Aliases: Trojan-Proxy.Win32.Agent.kx (Kaspersky), Proxy-Agent.a (McAfee), Backdoor.Trojan (Symantec), TR/Proxy.Agent.KX (Avira), Troj/Agent-DIV (Sophos))

These Trojans are dropped by other malware or gets downloaded on system while visiting malicious websites. Some of the variants propagate through spam emails containing link to malicious website or as an attachment. The attachments uses MS-WordPad and Adobe PDF file icons to trick users into thinking that the files are genuine.
Upon execution displays the fake notification message of installation completion and drops their files on the system

Trojan Agent variants access other malicious domains/websites to download malicious files. The name of downloaded malicious files, contain random text/digits. The file names look like legitimate files and attempts to trick users as a legitimate download is in progress on affected system. All of these files are detected as Trojans or supporting bundle files of Trojans.

Some of the variants of Agent Trojan acts like a proxy server. These Trojans opens port 447 to receives incoming requests from attacker and forward them to target server. These Trojans may be used by other malware to send spam emails to the addresses collected from the infected system using their own SMTP engine.

Activities of Trojan Agent after execution:

Creates following registry entry to ensure its automatic execution at every system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run [Malware name/random name] =“[Malware path]”
Creates following registry entries to lowers the Internet Security Zone as installation routine:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Internet Settings\Zones\2
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Explorer\Advanced
  Hidden = "0"
  ShowSuperHidden = "0"
  SuperHidden = "0"
Drops copies of itself and download files, malicious and non-malicious in folders like:
%Desktop%\
%System%\
%User Temp%\
%Windows%\
Downloads following malicious and Bundled supporting malicious files:
UnivisionMultimedia_flashplayer_swf.exe, antiviirus.exe, win32.exe, FlyVideoCodec.exe, servic.exe, MSOUTRC2008Update-KB64738.exe, m.exe, csrss.exe, JAVAM ACHI NE.EXE, seiunacapra.exe, aspimgr.exe, gmost.exe.
winlogon.jpg, proxy.jpg, search.jpg, tool.jpg, tibs.jpg, kernelupdate.jpg
17PHolmes.cmt, index.php, load.php, ztool{1-5},
zgame{1-5}

And some non-malicious files:
amatoriale.avi, medialib.lib, indagati-03-20008.xls, FINAL_TBF2.pdf
Propagates through spam emails with subject lines such as “Full porno dvd {popular actor/actress}”.
Attempts to connect to following sites while acting as proxy server:
{random}.mooo.com
{random}.dynserv.com
{random}.yi.org
{random}.dyndns.org
Collects email addresses from files with the following extensions to send spam:
123, asm, c, chm, cpp, csv, dbf, dif, doc, eps, h, htm, html, hwp, inc, info, jtd, nfo, ott, pdf, php, ps, rtf, sdc, sdw, slk, sxw, sys, tmp, txt, wab, wk1, wks, wpd, wps, xml.
Trojan Agent variants tries to access following URLs to download malicious files:
http://www.{BLOCKED}oody.net/gobbaser.exe
http://www.{BLOCKED}oody.net/mitraser.exe
http://www.{BLOCKED}oody.net/gobbaser.exe
http://www.{BLOCKED}oody.net/mitraser.exe

In view of rapid propagation and high damage potential of these Trojan Agent variants, users are advised to implement following countermeasures:

Install and maintain a updated anti-virus software at gateway and desktop level.
Filter emails with abovementioned subject lines and attachments at the gateway.
Block URLs listed above which are being accessed by these Trojan variants.
Keep up-to-date on patches and fixes on the operating system and application software.
Exercise caution while opening email attachments.

References

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

Trojan AGENT and variants Original issue date: May 08, 2008

Trojan AGENT and variants

Original issue date: May 08, 2008