Friday, September 11, 2009

Virus: TR/Drop.Agent.agla - Trojan

Date discovered:26/02/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:High
Static file:Yes
File size:172.207 Bytes

GENERAL
Aliases:
• Symantec: W32.SillyFDC
• Sophos: Mal/Generic-A
• Panda: W32/Lineage.KYR
• Eset: Win32/PSW.OnLineGames.NNU

Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Downloads files
• Drops malicious files
• Registry modification

FILES
It copies itself to the following locations:
• %SYSDIR%\kva8wr.exe
• %drive%\jbele1.com

It renames the following files:
• %malware execution directory% into c:\%existing file or directory%.vcd

It deletes the initially executed copy of itself.

It deletes the following file:
• %SYSDIR%\drivers\cdaudio.sys

It may corrupt the following file:
• %SYSDIR%\drivers\cdaudio.sys

The following files are created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too.

Detected as: Rkit/Agent.4160
– %SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo
– %SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen
– %drive%\lot.exe
– %SYSDIR%\ahnfgss0.dll
– %SYSDIR%\ahnsbsb.exe
– %SYSDIR%\ahnxsds0.dll

It tries to download some files:
– The location is the following:
• http://hjkio.com/xhg2/**********
– The location is the following:
• http://kioytrfd.com/xhg2/**********

REGISTRY
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

INJECTION
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

ROOTKIT TECHNOLOGY
Hides the following:
– Its own process
Method used:
• Hidden from Master File Table (MFT)
• Hidden from Windows API
• Hidden from Interrupt Descriptor Table (IDT)
____________________________________________

Avira AntiVir Free

3 comments:

  1. mY antivirus fail to detect a virus could u suggest me what antivirus work best?

    ReplyDelete
  2. I really like this blog.
    Thanks for providing the full information of Trojan about system requirement and many more.

    ReplyDelete