| Malware name | Trojan.Agent.85823 | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 9014A4E49C86CCFE4B527A8E55F2AF94 | | Static file | yes | | Filesize | 45,080 Bytes | Alias names
(also known as) | | Sophos | Troj/Alllu-A | | McAfee | Generic VB.c | | CA ETrust | Win32/Landa.B |
| | Side effects | - Disable security applications
- Registry modification
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following locations:
•
%all directories%\*.jpg.exe
•
%all directories%\*.mp3.exe
•
%all directories%\*.avi.exe
•
%all directories%\*.mpg.exe
It creates the following directory:
•
%malware execution directory%\
%executed file%l
Registry
The following registry keys are added:
– [HKCU\Software\VB and VBA Program Settings\LA\run]
• 1="T"
– [HKCU\Software\VB and VBA Program Settings]
– [HKCU\Software\VB and VBA Program Settings\LA]
Process termination
Disallow run processes that contain one of the following strings in the filename:
• %PROGRAM FILES%\Symantec\LiveUpdate\LUALL.EXE
• dats.exe
File details
Programming language:
The malware program was written in Visual Basic.
