Trojan-Downloader:W32/Agent.ICF attempts to download files. It also drops files and writes to the system registry.
Attention: %windir% represents the default Windows directory.Creates these files:
Replaces the following file with a copy of itself:
Note: The file called rsvp.exe is a Windows system file. Deletion of the malware file during disinfection will require the repair of the system file.Creates these directories:
Creates these processes:
Uses these temporary processes:
These modules were loaded into other processes:
Creates these mutexes:
Attempts to download files from:
Sets these values:
Creates these keys:
Notepod: Agent.ICF creates a file called notepod.exe and sets a registry value to associate .TXT files with it. If the system user opens a text file notepod.exe will be launched, which in turn calls on notepad.exe. Notepad.exe is a legitimate Windows file.The launching of notepod.exe will once again execute the trojan-downloader mechanisms.Automatic Updates: Agent.ICF attempts to delete the Automatic Updates service. The Automatic Update service enables the download and installation of Windows updates.Autorun Features: Agent.ICF also contains autorun features. See the Worm/W32:Autorun description for additional details. The autorun.inf file will copy to the root of a removable drive. Under a folder called recycled there is a file called cleardisk.pif. The PIF file a copy of the trojan-downloader.
Date Created: -
Date Last Modified: -