1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Trojan-Downloader:W32/Agent.HSM

Trojan-Downloader:W32/Agent.HSM

Name : Trojan-Downloader:W32/Agent.HSM
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Additional Details

This trojan may be downloaded from a malicious website. It may also arrive as an e-mail attachment.

Known e-mail subjects associated with this malware are:

  • Really cool photos
  • Exclusive photos, you'll be happy
  • Spam: Great photos for you
  • Great photos for you
  • The best photos for you

Installation
During installation, the trojan will drop a copy of itself to:

  • %systemroot%\system32\rs32net.exe

It also sets a launch point with the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rs32net = %systemroot%\system32\rs32net.exe

It will then try to launch svchost.exe, and injects its code by replacing the launched svchost.exe code.

Execution
Upon execution, this malware will attempt to connect to the following websites:

  • http://astana1988.[...]hostia.com
  • http://astana.[...]fire.net

It then attempts to download additional files from the following IP addresses:

  • 91.203.92.7
  • 208.66.195.16
  • 208.66.195.71
  • 208.66.195.232
  • 208.66.195.240
  • 216.195.55.50
  • 216.195.56.22
  • 209.66.122.238

As of this writing, these IP addresses are down and are not available.