F-Secure
Tools
Trojan-Downloader:W32/Agent.IDO
| Name : | Trojan-Downloader:W32/Agent.IDO |
| Category: | Malware |
| Type: | Trojan-Downloader |
| Platform: | W32 |
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Additional Details
The trojan-downloader Agent.IDO drops the following files onto the system:
The svchost.exe file is detected as Trojan-Downloader:W32/Agent.IDP.
Payload
The downloading component of this trojan-downloader is actually another malware, Agent.IDP, which is part of its payload.
Once dropped, Agent.IDP adds the following autorun key to the Windows registry, so that it will run at each subsequent startup:
When executed, Agent.IDP attempts to connect to the following websites:
Fortunately, these websites are currently not operational.
• %windir%\system32\win.exe
• %ProgramFiles%\Microsoft Commom\svchost.exe
The svchost.exe file is detected as Trojan-Downloader:W32/Agent.IDP.
Payload
The downloading component of this trojan-downloader is actually another malware, Agent.IDP, which is part of its payload.
Once dropped, Agent.IDP adds the following autorun key to the Windows registry, so that it will run at each subsequent startup:
• Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer
Value: Debugger
Data: %Program Files%\Microsoft Common\svchost.exe
Value: Debugger
Data: %Program Files%\Microsoft Common\svchost.exe
When executed, Agent.IDP attempts to connect to the following websites:
• http://univnext.cn/ld.php?v=1&rs=[...]=1&uid=1
• http://218.93.202.102/ld.php?v=1&rs=[...]=1&uid=1
• http://whv67.cn/ld.php?v=1&rs=[...]=1&uid=1
Fortunately, these websites are currently not operational.