|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan:W32/Agent.FVO
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Trojans are malicious programs that pretend be to benign. Trojans do not replicate themselves. |
|
|
|
Details
|
File System Changes
Creates these files:
- %windir%\system32\drivers\dcbcg.exe
Network Connections
Attempts to connect with HTTP to:
- http://91.203.[REMOVED]/port/c.php?l=US&d=F5CAA48923FD4CCA8D239AE89BEAC0B9&ver=3.6.7&rvz1=2650&rvz2=0000091859
Registry Modifications
Sets these values:
- HKCU\software\ewrew\dcbcg\main
cid = F5CAA48923FD4CCA8D239AE89BEAC0B9 - HKCU\software\ewrew\sample\main
cid = 28280947699F4F27B32917B2C8654CE4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
_ = c:\windows\system32\drivers\dcbcg.exe
Creates these keys:
- HKCU\software\ewrew
- HKCU\software\ewrew\sample
- HKCU\software\ewrew\sample\main
- HKCU\software\ewrew\dcbcg
- HKCU\software\ewrew\dcbcg\main
|
|
|
|
Additional Details
|
Trojan:W32/Agent.FVO was sent in several spam runs in the country of Denmark. The e-mail messages are in Danish and were sent to Danish e-mail addresses.
The e-mail message claim to be from F-Secure support.
The message appears as follows:
From: supportupdate@f-secure.com
Date: 26. August 2008 08:31
Subject: Data er tillagt og sendt med denne meddelelse.
Käre kunder!
Regning
Data er tillagt og sendt med denne meddelelse.
Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve.
Antispam er helt gratis for private brugere.
Attachment: f-secure.rar
The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe that attempts to connect to a server located in Ukraine.
The IP address to which Agent.FVO attempts to connect hosts a fake version of MP3.com.
 |
|
|
|
Detection
|
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2008-08-26_06.
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: August 26, 2008
|
|
|
|
|
