Trojans are malicious programs that pretend be to benign. Trojans do not replicate themselves.
Disinfection & Removal
Trojan:W32/Agent.FVO was sent in several spam runs in the country of Denmark. The e-mail messages are in Danish and were sent to Danish e-mail addresses.The e-mail message claim to be from F-Secure support.The message appears as follows:
From: email@example.com Date: 26. August 2008 08:31 Subject: Data er tillagt og sendt med denne meddelelse. Käre kunder! Regning Data er tillagt og sendt med denne meddelelse. Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve. Antispam er helt gratis for private brugere. Attachment: f-secure.rarThe attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe that attempts to connect to a server located in Ukraine.The IP address to which Agent.FVO attempts to connect hosts a fake version of MP3.com.
File System Changes
Creates these files:
Attempts to connect with HTTP to:
Sets these values:
- HKCU\software\ewrew\dcbcg\main cid = F5CAA48923FD4CCA8D239AE89BEAC0B9
- HKCU\software\ewrew\sample\maincid = 28280947699F4F27B32917B2C8654CE4
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run _ = c:\windows\system32\drivers\dcbcg.exe
Creates these keys:
F-Secure Anti-Virus detects this malware with the following updates:[FSAV_Database_Version]