Threat Description

Worm:W32/Agent.T

Details

Aliases:Trojan.Downloader-1419, Trojan.Downloader.Agent.ASH, W32/Generic.m
Category:Malware
Type:WormTrojan-Downloader
Platform:W32

Summary



A type of worm that replicates by sending complete, independent copies of itself over a network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

For more general information on disinfection, please see .

Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.



Technical Details



Worm:W32/Agent.T drops several copies of itself onto the system and downloads other additional malware from the Internet.

Execution

Upon execution, Agent.T drops the following files:

  • %windir%\yqqty.exe - A copy of itself.

It modifies the following autostart registry entry to enable its automatic execution every system boot-up:

  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit=%windir%\system32\userinit.exe,%windir%\yqqty.exe

Note: The default value is Userinit=%windir%\system32\userinit.exe

It may drop a copy of itself to several drives. The Autorun.inf file, which is a configuration file used to automatically execute the malware when a directory or drive is being opened, is also dropped together with the main executable file.

Activity

Agent.T downloads the following files from the Internet:

  • http://www.sinavip.net/A[REMOVED].asp
  • http://www.sinavip.net/L[REMOVED].txt

It then saves the files to the Windows directory using the following filenames:

  • listsas.txt
  • saslogww.txt

One of the text files contains the following download sites:

  • http://www.aame.cn/k[REMOVED].rar
  • http://www.aame.cn/c[REMOVED].rar

The downloaded files are also trojan-downloaders that are now detected as Trojan-Downloader:W32/Small.EJW and Trojan-Downloader:W32/Small.ELM.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More