Home > Threat descriptions >



Category: Malware

Type: Trojan-Downloader

Aliases: Trojan-Downloader:W32/KDV-176347, Trojan.generic.kdv.176347, Trojan-Downloader.Win32.Agent.gctp


This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This trojan is disguised as a DOC file. Upon executing the trojan, it will download a document from a remote site (hxxp://www.epof.ru/[...]/document.doc) and display it, furthering the deception that the trojan is legitimate. Below is a screenshot of the document displayed:

In the meantime, the trojan will attempt to download malicious files from the following URLs:

  • hxxp://www.epof.ru/[...]/load.php?file=0
  • hxxp://www.epof.ru/[...]/load.php?file=1
  • hxxp://www.epof.ru/[...]/load.php?file=2
  • hxxp://www.epof.ru/[...]/load.php?file=3
  • hxxp://www.epof.ru/[...]/load.php?file=4
  • hxxp://www.epof.ru/[...]/load.php?file=5
  • hxxp://www.epof.ru/[...]/load.php?file=6
  • hxxp://www.epof.ru/[...]/load.php?file=7
  • hxxp://www.epof.ru/[...]/load.php?file=8
  • hxxp://www.epof.ru/[...]/load.php?file=9
  • hxxp://www.epof.ru/[...]/load.php?file=uploader
  • hxxp://www.epof.ru/[...]/load.php?file=grabbers

At the time of writing, the domain contacted by the malware is blocked by the Browsing Protection feature of our product.