| Malware name | Trojan.Agent.afbb | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 013657A2155441684F38CB52593AEAA2 | | Static file | yes | | Filesize | 100,352 Bytes | Alias names
(also known as) | | Sophos | Mal/EncPk-CZ | | CA ETrust | Win32/Kollah.UA |
| | Side effects | - Drops malicious files
- Registry modification
- Third party control
|
|
Description:
Files
It copies itself to the following locations:
• %WINDIR%\security\lsass.exe
•
%drive%\viewfiles.exe
The following files are created:
– A file that is for temporary use and it might be deleted afterwards:
• %TEMPDIR%\lsasswin
–
%drive%\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware% Registry
To each registry key one of the values is added in order to run the processes after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "Windows Intranet controller"="%WINDIR%\security\lsass.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Windows Intranet controller"="%WINDIR%\security\lsass.exe"
The following registry key is added:
– [HKLM\SOFTWARE\Security]
• "version"="12"
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: serv01.colo.**********.hu
Port: 31091
Channel: #support#
Nickname:
%computer name% Password: syslock
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
