Selected viruses, spyware, and other threats: sorted alphabetically
Win32/TrojanDownloader.Agent.UF |
| Aliases: | Trojan-Clicker.Win32.Small.gp (Kaspersky) |
| Type: | Trojan |
| Affect: | 32-bit Windows |
Summary
This Downloader Trojan is runtime compressed/protected by FSG, an executable file compressor and is approximately 6 KB in size.
Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32).
These locations differ on various versions of Microsoft Windows.
Installation and Autostart Techniques:
Upon execution, the Trojan tries to terminate the following applications by enumerating all running processes using debug privileges.
\tgbcde\module32.exe (malicious; if detected in the system folder)
ccapp.exe
zapro.exe
armor2net.exe
ZAPRO.EXE
amon.exe
MpfService.exe
zonealarm.exe
outpost.exe
firewall.exe
atguard.exe
tpfw.exe
kpf4ss.exe
NPROTECT.EXE
kpf4gui.exe
These files belong to programs such as:
Agnitum Outpost Firewall
Kaspersky Anti-Hacker
Kerio Personal Firewall 4
McAfee Personal Firewall
Norton Internet Security Professional
Tiny Firewall Pro
Zone Labs ZoneAlarm
The Trojan then tries to download the file "hammer.exe" from a remote webserver and executes this file in the %windir% folder. "Hammer.exe" installs a TrojanProxy and is able to notify the remote webserver about the successful infection of the target machine. The download path is stored in encrypted form at http ://{Removed} zubox429/v0407/ {Removed}.exe. This downloaded executable will also be saved in the internet file cache.
The Trojan also creates a batch file (1.bat) which takes care of deleting the downloader after successful installation of the TrojanProxy component from this Trojan by looping until it gets granted permission to delete this downloader (when the downloader exits).
Registry Modifications:
The Trojan tries to add the following registry key:
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
{ path to downloaded Trojan } = "{ path to downloaded trojan }:*:Enabled:cmsscs"
With this registry entry it is able to bypass the integrated Windows system firewall successfully.
After installing the TrojanProxy component the Trojan contacts http://{Removed}/zubox429/hammer.php in order to notify the attacker that the system was successful compromised.
History: Analysis and Write-up by: Michael St. Neitzel
© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.
