W32/Agent.DJBN!tr - Released Apr 27, 2010
|
Alias/esTrojan-Downloader:W32/Agent.DJBN (F-Secure), a variant of Win32/Kryptik.DZE (NOD32), Packed.Cupx!gen5 (Symantec) |
Detection Availability
|
Visible Symptoms
- The following file exists:
- %Program Files%\Microsoft Common\svchost.exe
- The system may also be infected with PDF/Pidief.BV!exploit and VBS/Agent.DJBN!tr.
|
Detailed Analysis
W32/Agent.DJBN!tr is the detection for the Windows 32 executable file that is dropped by VBS/Agent.DJBN!tr.
Technical Details
- The malware is packed by UPX.
- It copies itself as the following file:
- %Program Files%\Microsoft Common\svchost.exe
- It creates the following registry entry to set its copy as the default debugger of explorer.exe:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = "%Program Files%\Microsoft Common\svchost.exe"
This results in the file svchost.exe being injected into the explorer.exe process.
- It connects to the following URLs:
- http://jadem{Removed]n.com/lde/ld.php?v=1&rs=[Varies]&n=[Varies]&uid=1
- http://1fox{Removed]a.com/lde/ld.php?v=1&rs=[Varies]&n=[Varies]&uid=1
- http://dols{Removed].com/lde/ld.php?v=1&rs=[Varies]&n=[Varies]&uid=1
- Analysis of the code reveals that a SYS file may be dropped into the %System%\drivers folder. This SYS file can be detected as W32/AutoRun!tr.
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
