Name :	Trojan-Dropper:W32/Agent.FBB
Größe:	41472
Kategorie:	Malware
Typ:	Trojan-Dropper
Plattform:	W32

Dateisystemänderungen
Erstellt diese Dateien:

Upon execution, Agent.FBB will create a copy of itself in %appdata%\deveinf.exe. (%appdata% refers to C:\Documents and Settings\[username]\Application Data).

Besides that the following files will be created:

(%windir% refers to C:\WINDOWS)

A mutex with the same name of the parent file "deveinf.exe" will be created.


Prozessänderungen
Erstellt diese Prozesse:

Once it is executed,a process IEXPLORE.EXE will be created. The two DLL files, "devecl.dll" and "deveio.dll", will inject into IEXPLORE.EXE.

"devecl.dll" has been detected as Trojan:W32/Inject.EC which manipulates IEXPLORE.EXE to make the following registry changes:

Software = iamxxxx
myclient = myuser@webmail.hotmailhotmail.com.cn
ip = 127.0.0.1
port = 000001BB
Waiting = 0100007F
Shell = explorer.exe C:\DOCUME~1\[username]\APPLIC~1\deveinf.exe

The infected winlogon registry keys enables the malware to be started automatically whenever the system has been restarted.

"deveio.dll" is detected as Backdoor:W32/Hupigon.bxbh which has the functionality of capturing the keyboard keystrokes on the infected machine.


Registrierungsbearbeitungen
Legt diese Werte fest :

The infected machine will have the following similar registry changes as well:
Type = 00000001
Start = 00000003
ErrorControl = 00000000
ImagePath = C:\WINDOWS\System32\drivers\devekd.sys

The last registry key allows the rootkit to be started automatically as a Windows NT service on every subsequent system startup.

"devekd.sys" driver uses rootkit techniques to hide itself, injected IEXPLORE.EXE, and other malicious dll files as mentioned above. It also hides devenum.dll which is a legitimate windows system file. It is used by windows when enurmerating through the available devices which receive DirectX data.

These hidden files and processes can be revealed using SysInternals RootkitRevealer.