Threat Descriptions

Trojan-Downloader:W32/Agent.ICF

Classification

Category :

Malware

Type :

Trojan-Downloader

Platform :

W32

Aliases :

Trojan-Downloader:W32/Agent.ICF

Summary

Trojan-Downloader:W32/Agent.ICF attempts to download files. It also drops files and writes to the system registry.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

File System Changes

Attention: %windir% represents the default Windows directory.Creates these files:

  • %windir%\system32\dx6vcl.dll
  • %windir%\system32\notepod.exe
  • %windir%\system32\disk.ico
  • %windir%\system32\xtemp1.exe
  • %windir%\system32\xtemp2.exe

Replaces the following file with a copy of itself:

  • %windir%\system32\rsvp.exe

Note: The file called rsvp.exe is a Windows system file. Deletion of the malware file during disinfection will require the repair of the system file.Creates these directories:

  • %windir%\Web\webpf
  • %windir%\Web\webdc
  • %windir%\Web\webpt
  • %windir%\Web\webhp
  • %windir%\Web\webxs

Process Changes

Creates these processes:

  • %windir%\system32\rsvp.exe

Uses these temporary processes:

  • %windir%\system32\xtemp1.exe
  • %windir%\system32\xtemp2.exe

These modules were loaded into other processes:

  • %windir%\system32\dx6vcl.dll Loaded into %windir%\system32\svchost.exe

Creates these mutexes:

  • c:!windows!system32!config!systemprofile !local settings!temporary internet files!content.ie5!
  • c:!windows!system32!config!systemprofile!cookies!
  • c:!windows!system32!config!systemprofile!local settings!history!history.ie5!

Network Connections

Attempts to download files from:

  • http://www.why001.com/[Removed].exe
  • http://www.koreaara.com/down/[Removed].rar
  • http://63.245.209.10/[Removed].dat

Registry Modifications

Sets these values:

  • HKLM\System\CurrentControlSet\Control\Session Manager\SFC ProgramFilesDir = C:\Program Files\x174
  • HKLM\System\CurrentControlSet\Control\Session Manager\SFC CommonFilesDir = C:\Program Files\Common FilesurrentControlSet \Control\Session Manager
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt Application = notepod.exe
  • HKLM\System\CurrentControlSet\Services\RSVP Type = 00000010
  • HKLM\System\CurrentControlSet\Services\RSVP Start = 00000002
  • HKLM\System\CurrentControlSet\Services\RSVP ErrorControl = 00000000
  • HKCU\Software\Microsoft\Windows Script\Settings JITDebug = 00000000

Creates these keys:

  • HKLM\Software\Classes\Applications\notepod.exe
  • HKLM\Software\Classes\Applications\notepod.exe\shell
  • HKLM\Software\Classes\Applications\notepod.exe\shell\open
  • HKLM\Software\Classes\Applications\notepod.exe\shell\open\command
  • HKCU\Software\Microsoft\Windows Script
  • HKCU\Software\Microsoft\Windows Script\Setting

Additional Details

Notepod: Agent.ICF creates a file called notepod.exe and sets a registry value to associate .TXT files with it. If the system user opens a text file notepod.exe will be launched, which in turn calls on notepad.exe. Notepad.exe is a legitimate Windows file.The launching of notepod.exe will once again execute the trojan-downloader mechanisms.Automatic Updates: Agent.ICF attempts to delete the Automatic Updates service. The Automatic Update service enables the download and installation of Windows updates.Autorun Features: Agent.ICF also contains autorun features. See the Worm/W32:Autorun description for additional details. The autorun.inf file will copy to the root of a removable drive. Under a folder called recycled there is a file called cleardisk.pif. The PIF file a copy of the trojan-downloader.