McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Malware Information

Malware nameTrojan.Dldr.Agent.bfbm
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum58080AD8C2AC166CFB476139D6136BC5
Static fileyes
Filesize89,604 Bytes
Alias names
(also known as)
SophosMal/EncPk-CZ
McAfeeGeneric Dropper.cx
Protection
Webwasher Anti Malware7001.1173.x
Side effects
  • Downloads a file
  • Downloads malicious files
  • Registry modification

Description:

Files

It tries to download some files:

– The location is the following:
• http://images2009best.com/perce/%random character string%/*****.gif
It is saved on the local hard drive under: %TEMPDIR%\~tmpa.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Agent.avds


– The location is the following:
• http://images-humanity.com/item/%random character string%/*****.gif
It is saved on the local hard drive under: %TEMPDIR%\~tmpb.exe Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
• http://images-humanity.com/werber/*****.jpg
It is saved on the local hard drive under: %TEMPDIR%\~tmpc.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Agent.bfbm


– The location is the following:
• http://best2009images.com/as/wea3/i/en-us/saw/*****.gif
It is saved on the local hard drive under: %TEMPDIR%\~tmpd.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Agent.dde

Registry

One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• MSFox="%malware execution directory%\%executed file%"



The following registry key is added:

– [HKLM\SOFTWARE\Mozilla\MSFox]
• "Str5"=" %random character string%="
• "Str9"="%random character string%="
• "Str6"=" %random character string%=="
• "Str7"="%random character string%=="
• "Str8"="lw=="
• "Str4"=""
• "Str10"=""
• "Str1"=" %random character string%="
• "Int2"=dword:01c98116
• "Int3"=dword:a696bcd0

Miscellaneous

Mutex:
It creates the following Mutexes:
• Pf8tEzRXY0MhbrHxmUXF
• jv2GUjP707bgyKtTPna2

File details

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND MCAFEE® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL MCAFEE® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL MCAFEE® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.