This application requires Javascript for optimal performance.

W32/Agent.AGGP!tr.dldr - Released Sep 14, 2008 - Last Updated Sep 29, 2008

Alias/es

Trojan-Downloader.Win32.Agent.aggp(KAV), W32/Downldr2.DVHI(F_Prot), Win32/TrojanDownloader.Agent.AFKH trojan(NOD32), Trj/Downloader.MDW(Panda), Trojan.Downloader-53034(ClamAV)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Possible termination of the firewall or other security applications, including antivirus monitors.

  • It deletes itself from the current directory.

  • The following file exists:
    • C:\{random characters}.tmp

    Detailed Analysis


  • It deletes itself from the current directory.

  • It drops the following file:
    • C:\{random characters}.tmp
  • It stops and deletes the Windows service named McShield.

  • It teminates the process nod32krn.exe.

  • It modifies the following registry:
    • key: HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings
    • value: exc
    • data: 5B 32 5B 5B {removed}
  • It teminates the process avp.exe.

  • It executes the file msiexec.exe  to uninstall the Kaspersky Antivirus software.

  • It executes svchost.exe, then injects code into it.

  • It tries to download files from the following URLs:
    • http://79.135.{removed}.18/gpls32.exe
    • http://79.135.{removed}.18/sl32.exe
    • http://79.135.{removed}.18/scan4.exe
    • http://79.135.{removed}.18/cgi-bin/index.cgi?test2
  • It saves the downloaded files to the system root folder and executes them.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 559605