Trojan-Dropper:W32/Agent.DJGD

Trojan-Dropper:W32/Agent.DJGD is dropped by Exploit:W32/XDropper.BR and downloads malicious files onto the infected system. At the time of writing, the server Agent.DJGD connects to is down.

Execution

On execution, Agent.DJGD displays fake system update messages:

Meanwhile, the malware targets the printer spooler service as launchpoint, infecting the spoolsv.exe by inserting a malicious import library (msxml0r.dll). The malware saves a copy of the original, uninfected spoolsv.exe file at setup\fxjssocm.exe, and creates a copy of the infected spoolsv.exe file as spooler.exe (this filename is not part of the default Windows XP installation).The timestamp for the msxml0r.dll library is set to be the same as system32\spoolss.dll; the system32\setup folder is also modified to have the same (usually older) timestamp as system32\root.Agent.DJGD also disables directory change notification signals to evade system changes.

Activity

The trojan-dropper's file includes encrypted URLs meant for downloading 3 other malicious files. The URLs are located at the end of the file; their absence would cause the trojan-dropper to fail. The trojan-dropper is intended to download files which use .GIF extensions, but are actually executable files. Once downloaded, the files would be dropped to the C:\Windows\Tasks using the following names:

• svchost.gif
• userinit.exe
• wuauclt.exe

Fortunately, at the time of writing, the URLs are dead and the server is down.Once the trojan-dropper has executed and downloaded the malicious files, it is designed to delete its own file.