F-Secure
Tools
Trojan-Dropper:W32/Agent.FLN
| Name : | Trojan-Dropper:W32/Agent.FLN |
| Detection Names : |
Trojan-Dropper:W32/Agent.FLN |
| Aliases : |
TrojanDropper:Win32/Alureon.gen!B (Microsoft) |
| Size: | 80272 |
| Category: | Malware |
| Type: | Trojan-Dropper |
| Platform: | W32 |
Summary
This type of trojan contains one or more malicious programs, which it secretly installs and executes.
Details
Registry Modifications
Creates these keys:
• HKEY_CLASSES_ROOT\homeview\CLSID
(default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
(default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
• HKEY_CURRENT_USER\Software\homeview
(default) = "%Program Files%\homeview"
(default) = "%Program Files%\homeview"
• HKEY_CURRENT_USER\Software\{NSINAME}
Start Menu Folder = "homeview"
Start Menu Folder = "homeview"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\homeview\CLSID
(default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
(default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\homeview
UninstallString = "%Program Files%\homeview\Uninstall.exe"
InstallLocation = "%Program Files%\homeview"
DisplayName = "homeview"
DisplayIcon = "%Program Files%\homeview\Uninstall.exe,0"
UninstallString = "%Program Files%\homeview\Uninstall.exe"
InstallLocation = "%Program Files%\homeview"
DisplayName = "homeview"
DisplayIcon = "%Program Files%\homeview\Uninstall.exe,0"
Additional Details
This trojan-dropper masquerades as a Homeview installer. In reality, its main purpose is to install Trojan:W32/DNSChanger.ARNF onto the system.
Execution
Upon execution, it will display the following fake screens, to mimic the legitimate installation sequence for Homeview:
Installation
While the fake installation screens are distracting user, the malware creates and executes this file:
This file is detected as Trojan:W32/DNSChanger.ARNF.
If the fake Homeview installation sequence is completed, a new folder named %Program Files%\homeview is created and this file is added to it:
This uninstaller is capable of removing the Homeview-related registry entries and deleting itself and its folder. It is however incapable of removing Trojan:W32/DNSChanger.ARNF, or the changes that malware makes to the system.
Execution
Upon execution, it will display the following fake screens, to mimic the legitimate installation sequence for Homeview:
Installation
While the fake installation screens are distracting user, the malware creates and executes this file:
• %temp%\jah339312.exe
This file is detected as Trojan:W32/DNSChanger.ARNF.
If the fake Homeview installation sequence is completed, a new folder named %Program Files%\homeview is created and this file is added to it:
• %Program Files%\homeview\Uninstall.exe
This uninstaller is capable of removing the Homeview-related registry entries and deleting itself and its folder. It is however incapable of removing Trojan:W32/DNSChanger.ARNF, or the changes that malware makes to the system.