| Malware name | Trojan.Dropper.Agent.abpb.1 | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 0CF60F6B9A43CF621F540D26128CDFAB | | Static file | yes | | Filesize | 319,648 Bytes | Alias names
(also known as) | | McAfee | Generic MultiDropper.d | | CA ETrust | Win32/SillyDl.FIV |
| | Side effects | - Drops a file
- Drops malicious files
- Registry modification
| | Propagation | No own spreading routine |
|
Description:
Files
The following files are created:
– Non malicious files:
• %PROGRAM FILES%\zzToolBar\Uninstall.exe
• %PROGRAM FILES%\zzToolBar\IP.dat
• %PROGRAM FILES%\zzToolBar\SearchEngineConfig
– A file that is for temporary use and it might be deleted afterwards:
• %TEMPDIR%\
%four-digit random character string%.tmp\Processes.dll
– %PROGRAM FILES%\zzToolBar\ToolBand.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/ZzToolbar.B
– %PROGRAM FILES%\zzToolBar\Toolbar_bho.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/ZzToolbar.C
Registry
The following registry keys are added:
– [HKLM\SOFTWARE\zzToolbar\
%chinese text%]
• Install_Dir="%PROGRAM FILES%\zzToolBar"
• ToolBarVer="2.0.0.9"
• TM="0"
• AgentID="
%several random numbers from 0 to 9%"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
BrowseNewProcess]
• BrowseNewProcess="yes"
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
%chinese text%]
• DisplayName="
%chinese text%"
• UninstallString=""%PROGRAM FILES%\zzToolBar\Uninstall.exe""
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
