Threat Descriptions

Trojan-Dropper:W32/Agent.DJGD

Classification

Category :

Malware

Type :

Trojan-Dropper

Platform :

W32

Aliases :

Trojan-Dropper:W32/Agent.DJGD

Summary

This type of trojan contains one or more malicious programs, which it will secretly install and execute.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan-Dropper:W32/Agent.DJGD is dropped by Exploit:W32/XDropper.BR and downloads malicious files onto the infected system. At the time of writing, the server Agent.DJGD connects to is down.

Execution

On execution, Agent.DJGD displays fake system update messages:

Meanwhile, the malware targets the printer spooler service as launchpoint, infecting the spoolsv.exe by inserting a malicious import library (msxml0r.dll). The malware saves a copy of the original, uninfected spoolsv.exe file at setup\fxjssocm.exe, and creates a copy of the infected spoolsv.exe file as spooler.exe (this filename is not part of the default Windows XP installation).The timestamp for the msxml0r.dll library is set to be the same as system32\spoolss.dll; the system32\setup folder is also modified to have the same (usually older) timestamp as system32\root.Agent.DJGD also disables directory change notification signals to evade system changes.

Activity

The trojan-dropper's file includes encrypted URLs meant for downloading 3 other malicious files. The URLs are located at the end of the file; their absence would cause the trojan-dropper to fail. The trojan-dropper is intended to download files which use .GIF extensions, but are actually executable files. Once downloaded, the files would be dropped to the C:\Windows\Tasks using the following names:

  • svchost.gif
  • userinit.exe
  • wuauclt.exe

Fortunately, at the time of writing, the URLs are dead and the server is down.Once the trojan-dropper has executed and downloaded the malicious files, it is designed to delete its own file.