TROJ_AGENT.ICO
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
It installs a fake antivirus/antispyware software. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
TECHNICAL DETAILS
236,532 bytes
EXE
Yes
28 Apr 2011
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan drops the following non-malicious files:
- %Documents and Settings%\All Users\Application Data\{random}
- %UserProfile%\Templates\{random}
Other System Modifications
This Trojan adds the following registry keys as part of its installation routine:
HKEY_CLASSES_ROOT\exefile\shell\
open\command
Default = {malware path and filename} -a "%1" %*
(Note: The default value data of the said registry entry is "%1" %*.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
Default = {malware path and filename} -a "C:\Program Files\Intern
(Note: The default value data of the said registry entry is Internet Explorer.)
It also creates the following registry entry(ies) as part of its installation routine:
HKEY_CLASSES_ROOT\.exe\shell\
open\command
Default = ""{malware path and filename}" -a "%1" %*"
HKEY_CURRENT_USER\Software\Classes\
.exe
Default = exefile
HKEY_CLASSES_ROOT\.exe\DefaultIcon
Default = %1
HKEY_CLASSES_ROOT\.exe\shell\
open\command
IsolatedCommand = "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\
runas\command
default = "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\
runas\command
IsolatedCommand = "%1" %*
HKEY_CLASSES_ROOT\exefile
Content Type = application/x-msdownload
HKEY_CLASSES_ROOT\exefile\shell\
open\command
IsolatedCommand = "%1" %*
HKEY_CLASSES_ROOT\exefile\shell\
runas\command
IsolatedCommand = "%1" %*
HKEY_CURRENT_USER\Software\Classes\
.exe
Content Type = application/x-msdownload
HKEY_CURRENT_USER\Software\Classes\
.exe\DefaultIcon
Default = %1
HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command
Default = {malware path and filename} -a "%1" %*
HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command
IsolatedCommand = "%1" %*
HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command
Default = "%1" %*
HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command
IsolatedCommand = "%1" %*
HKEY_CURRENT_USER\Software\Classes\
exefile
Default = Application
HKEY_CURRENT_USER\Software\Classes\
exefile
Content Type = application/x-msdownload
HKEY_CURRENT_USER\Software\Classes\
exefile\DefaultIcon
Default = %1
HKEY_CURRENT_USER\Software\Classes\
exefile\shell\open\
command
Default = {malware path and filename} -a "%1" %*
HKEY_CURRENT_USER\Software\Classes\
exefile\shell\open\
command
IsolatedCommand = "%1" %*
HKEY_CURRENT_USER\Software\Classes\
exefile\shell\runas\
command
Default = "%1" %*
HKEY_CURRENT_USER\Software\Classes\
exefile\shell\runas\
command
IsolatedCommand = "%1" %*
Rogue Antivirus Routine
This Trojan installs a fake antivirus/antispyware software.
It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.
NOTES:
Upon execution, it displays a GUI that is disguised as an antivirus called Total Security 2011.
Once the user agrees to purchase the rogue antivirus, it opens a window accessing the following URL:
- {BLOCKED}vunokyk.com/buy.html