TROJ_AGENT.ICO

 Analysis by: Erika Bianca Mendoza

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It installs a fake antivirus/antispyware software. It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

  TECHNICAL DETAILS

File Size:

236,532 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

28 Apr 2011

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This Trojan drops the following non-malicious files:

  • %Documents and Settings%\All Users\Application Data\{random}
  • %UserProfile%\Templates\{random}

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\exefile\shell\
open\command
Default = {malware path and filename} -a "%1" %*

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\shell\
open\command
Default = {malware path and filename} -a "C:\Program Files\Intern

(Note: The default value data of the said registry entry is Internet Explorer.)

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_CLASSES_ROOT\.exe\shell\
open\command
Default = ""{malware path and filename}" -a "%1" %*"

HKEY_CURRENT_USER\Software\Classes\
.exe
Default = exefile

HKEY_CLASSES_ROOT\.exe\DefaultIcon
Default = %1

HKEY_CLASSES_ROOT\.exe\shell\
open\command
IsolatedCommand = "%1" %*

HKEY_CLASSES_ROOT\.exe\shell\
runas\command
default = "%1" %*

HKEY_CLASSES_ROOT\.exe\shell\
runas\command
IsolatedCommand = "%1" %*

HKEY_CLASSES_ROOT\exefile
Content Type = application/x-msdownload

HKEY_CLASSES_ROOT\exefile\shell\
open\command
IsolatedCommand = "%1" %*

HKEY_CLASSES_ROOT\exefile\shell\
runas\command
IsolatedCommand = "%1" %*

HKEY_CURRENT_USER\Software\Classes\
.exe
Content Type = application/x-msdownload

HKEY_CURRENT_USER\Software\Classes\
.exe\DefaultIcon
Default = %1

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command
Default = {malware path and filename} -a "%1" %*

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\open\
command
IsolatedCommand = "%1" %*

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command
Default = "%1" %*

HKEY_CURRENT_USER\Software\Classes\
.exe\shell\runas\
command
IsolatedCommand = "%1" %*

HKEY_CURRENT_USER\Software\Classes\
exefile
Default = Application

HKEY_CURRENT_USER\Software\Classes\
exefile
Content Type = application/x-msdownload

HKEY_CURRENT_USER\Software\Classes\
exefile\DefaultIcon
Default = %1

HKEY_CURRENT_USER\Software\Classes\
exefile\shell\open\
command
Default = {malware path and filename} -a "%1" %*

HKEY_CURRENT_USER\Software\Classes\
exefile\shell\open\
command
IsolatedCommand = "%1" %*

HKEY_CURRENT_USER\Software\Classes\
exefile\shell\runas\
command
Default = "%1" %*

HKEY_CURRENT_USER\Software\Classes\
exefile\shell\runas\
command
IsolatedCommand = "%1" %*

Rogue Antivirus Routine

This Trojan installs a fake antivirus/antispyware software.

It displays fake alerts that warn users of infection. It also displays fake scanning results of the affected system. It then asks for users to purchase it once scanning is completed. If users decide to purchase the rogue product, users are directed to a certain website asking for sensitive information, such as credit card numbers.

NOTES:
Upon execution, it displays a GUI that is disguised as an antivirus called Total Security 2011. Once the user agrees to purchase the rogue antivirus, it opens a window accessing the following URL:

  • {BLOCKED}vunokyk.com/buy.html