Friday, September 11, 2009

Virus: TR/Drop.Agent.agla - Trojan

Date discovered:26/02/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:High
Static file:Yes
File size:172.207 Bytes

GENERAL
Aliases:
• Symantec: W32.SillyFDC
• Sophos: Mal/Generic-A
• Panda: W32/Lineage.KYR
• Eset: Win32/PSW.OnLineGames.NNU

Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Downloads files
• Drops malicious files
• Registry modification

FILES
It copies itself to the following locations:
• %SYSDIR%\kva8wr.exe
• %drive%\jbele1.com

It renames the following files:
• %malware execution directory% into c:\%existing file or directory%.vcd

It deletes the initially executed copy of itself.

It deletes the following file:
• %SYSDIR%\drivers\cdaudio.sys

It may corrupt the following file:
• %SYSDIR%\drivers\cdaudio.sys

The following files are created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too.

Detected as: Rkit/Agent.4160
– %SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo
– %SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen
– %drive%\lot.exe
– %SYSDIR%\ahnfgss0.dll
– %SYSDIR%\ahnsbsb.exe
– %SYSDIR%\ahnxsds0.dll

It tries to download some files:
– The location is the following:
• http://hjkio.com/xhg2/**********
– The location is the following:
• http://kioytrfd.com/xhg2/**********

REGISTRY
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

INJECTION
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

ROOTKIT TECHNOLOGY
Hides the following:
– Its own process
Method used:
• Hidden from Master File Table (MFT)
• Hidden from Windows API
• Hidden from Interrupt Descriptor Table (IDT)
____________________________________________

Avira AntiVir Free

4 comments:

  1. mY antivirus fail to detect a virus could u suggest me what antivirus work best?

    ReplyDelete
  2. I really like this blog.
    Thanks for providing the full information of Trojan about system requirement and many more.

    ReplyDelete
  3. I'm 47 years old and female. I was diagnosed a couple of years ago with COPD and I was beyond scared! My lung function test indicated 49% capacity. After having had the flu a year ago, the shortness of breath, coughing and chest pains continued even after being treated with antibiotics. I've been smoking two packs a day for 36 years. Being born without a sternum caused my ribs to be curled in just one inch away from my spine, resulting in underdeveloped lungs. At age 34 I had surgery and it was fixed. Unfortunately my smoking just caused more damage to my already under developed lungs. The problem was that I enjoyed smoking and don't want to give up! Have tried twice before and nearly went crazy and don't want to go through that again. I saw the fear in my husband and children's eyes when I told them about my condition then they started to find a solution on their own to help my condition.I am a 47 now who was diagnosed with COPD emphysema which I know was from my years of smoking. I started smoking in school when smoking was socially acceptable.. It was not known then how dangerous cigarettes were for us, and it seemed everybody smoked it. On searching, internet we saw a testimony of a brother, Nathaniel, how he was also cured of COPD lungs. By a doctor Akhigbe and the brother also wrote the doctor contact on the testimony. I contacted the doctor I was writing to the doctor and my husband was writing to him too. The doctor told us what to do and the next week I received the herbal medicine and the following instruction. It was really unbelievable after I finished the medicine. Dr Akhigbe herbal medicine is supernatural, that is how I was able to get rid of my COPD lung condition through the help of  Dr Akhigbe with his  herbal medicine cure. Here is his email   [drrealakhigbe@gmail.com}   He has the right herbal formula to help you get rid and repair any lung conditions and other diseases, his medicine will cure you completely and permanently with his natural organic herbs,We received the medicine through courier delivery service. I wish anybody who starts smoking at a young age would realize what will eventually happen to their bodies if they continue that vile habit throughout their life. It's a lesson I learned and never to forget in my life now I promise my God myself and my family never to smoke again.. All thanks to doctor  Akhigbe, the real herbalist doctor with natural herbs who have cured different people with their different problem.
    Dr Akhighe also cured diseases like, HERPES, DIABETES, HIV/AIDS, COPD, CANCER,ASTHMA,STROKE,LUPUS,JOINT PAIN,CHRONIC DISEASES,PARKINSON DISEASES,TUBERCULOSIS,HIGH BLOOD PRESSURE,BREAST INFECTION,WOMEN SEXUAL PROBLEM, GINGIVITIS, ERYSIPELAS,STAPHYLOCOCCUS,HEPATITIS A/B, QUICK EJACULATION, IMMUNOTHERAPY, GONORRHEA,SYPHILIS,WAST/BACK PAIN,PELVIC INFLAMMATORY, DICK ENLARGEMENT,HEART DISEASES,TERMINAL ILLNESS,SHIFT IN FOCUS,ATAXIA,COMMON COLD,CROHN'S DISEASES,ALCOHOL SPECTRUM DISORDER,GRAVES DISEASE,HEARING LOSS, ANTI VIRUS,  INTERSTITIAL CYSTITIS,LEUKEMIA,MULTIPLE SCLEROSIS,OBESITY,RABIES,SCOLIOSIS,INFLUENZA, POLIO,JACOB,ETC. If you are out there looking for your cure please  contact  dr Akhigbe  by his email    drrealakhigbe@gmail.com     or contact his whatsapp number   +234 90 1075 4824
    God bless you Dr Akhigbe for your good hand work on my life.  

    ReplyDelete