Malware Information

Malware name Trojan.Agent.AGNY Type Trojan Affected platform Win32 Media-Type application/executable MD5 checksum 0A834D4813F7B44024B2E68D20957AEE Static file yes Filesize 205,449 Bytes Alias names (also known as) Sophos Mal/Generic-A McAfee W32/Autorun.worm.g CA ETrust Win32/SillyAutorun.CY Side effects Drops files Lowers security settings Propagation Mapped network drives

Description:

It copies itself to the following locations:
• c:\windows\system\lsass.exe
• C:\RECYCLER\Recycler\AutoLaunch.exe
• %TEMPDIR%\services.exe



It creates the following directory:
• %TEMPDIR%\WinSecurityUpd



The following files are created:

– drive:\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%

– %TEMPDIR%\WinSecurityUpd\ms_auto This is a non malicious text file with the following content:
• %code that runs malware%

– %TEMPDIR%\WinSecurityUpd\ms_drvlst This is a non malicious text file with the following content:
• ABCDEFGHIJKLMNOPQRSTUVWXYZ

– %TEMPDIR%\WinSecurityUpd\udpate~1.tmp This is a non malicious text file with the following content:
• file

– %TEMPDIR%\csrss.bat This is a non malicious text file with the following content:
• %TEMPDIR%\csrss.bat

– %TEMPDIR%\ltmpp.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
– %TEMPDIR%\lsassexe.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to executes the following files:

– Filename:
• %SYSDIR%\netsh.exe
using the following command line arguments: firewall set opmode disable


– Filename:
• %SYSDIR%\cmd.exe
using the following command line arguments: /c if exist %TEMPDIR%\csrss.bat call %TEMPDIR%\csrss.bat


– Filename:
• %SYSDIR%\ping.exe
using the following command line arguments: google.com > %TEMPDIR%\ping2.log


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX