F-Secure
Tools
Trojan-Downloader:W32/Agent.HSM
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Additional Details
This trojan may be downloaded from a malicious website. It may also arrive as an e-mail attachment.
Known e-mail subjects associated with this malware are:
Installation
During installation, the trojan will drop a copy of itself to:
It also sets a launch point with the following registry key:
It will then try to launch svchost.exe, and injects its code by replacing the launched svchost.exe code.
Execution
Upon execution, this malware will attempt to connect to the following websites:
It then attempts to download additional files from the following IP addresses:
As of this writing, these IP addresses are down and are not available.
Known e-mail subjects associated with this malware are:
- Really cool photos
- Exclusive photos, you'll be happy
- Spam: Great photos for you
- Great photos for you
- The best photos for you
Installation
During installation, the trojan will drop a copy of itself to:
- %systemroot%\system32\rs32net.exe
It also sets a launch point with the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rs32net = %systemroot%\system32\rs32net.exe
It will then try to launch svchost.exe, and injects its code by replacing the launched svchost.exe code.
Execution
Upon execution, this malware will attempt to connect to the following websites:
- http://astana1988.[...]hostia.com
- http://astana.[...]fire.net
It then attempts to download additional files from the following IP addresses:
- 91.203.92.7
- 208.66.195.16
- 208.66.195.71
- 208.66.195.232
- 208.66.195.240
- 216.195.55.50
- 216.195.56.22
- 209.66.122.238
As of this writing, these IP addresses are down and are not available.