McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Dldr.Agent.amzp
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum37A54F26AAE1C5F1886D72AEE40E0E9D
Static fileyes
Filesize77,828 Bytes
Alias names
(also known as)
SophosTroj/Renos-BQ
McAfeeDownloader-BKM
CA ETrustWin32/FakeAlert.KV
Side effects
  • Downloads malicious files
  • Registry modification
PropagationNo own spreading routine

Description:

Files

It tries to download some files:

– The location is the following:
• http://193.142.244.55/**********/item_g.gif
It is saved on the local hard drive under: %TEMPDIR%\~tmpa.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.BHO.hfq


– The location is the following:
• http://193.142.244.20/**********/216-1.exe
It is saved on the local hard drive under: %TEMPDIR%\~tmpc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: 3041


– The location is the following:
• http://bigimagecatalogue.com/**********/chagall.gif
It is saved on the local hard drive under: %TEMPDIR%\~tmpd.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Agent.87552.F

Registry

One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "MSFox"="%executed file%"



The following registry keys are added:

– [HKLM\SOFTWARE\Mozilla\MSFox]
• "Str5"="%random character string%"
• "Str9"="%random character string%"
• "Str6"="%random character string%"
• "Str7"="%random character string%"
• "Str8"="%random character string%"
• "Str4"="%random character string%"
• "Str1"="%random character string%"
• "Int2"=dword:%hex number%
• "Int3"=dword:%hex number%

– [HKLM\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
• "TrapPollTimeMilliSecs"=dword:%hex number%

File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND MCAFEE® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL MCAFEE® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL MCAFEE® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.