Trojan-Dropper:W32/Agent.DJGD

Classification

Malware

Trojan-Dropper

W32

Trojan-Dropper:W32/Agent.DJGD

Summary

This type of trojan contains one or more malicious programs, which it will secretly install and execute.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Trojan-Dropper:W32/Agent.DJGD is dropped by Exploit:W32/XDropper.BR and downloads malicious files onto the infected system. At the time of writing, the server Agent.DJGD connects to is down.

Execution

On execution, Agent.DJGD displays fake system update messages:

Meanwhile, the malware targets the printer spooler service as launchpoint, infecting the spoolsv.exe by inserting a malicious import library (msxml0r.dll). The malware saves a copy of the original, uninfected spoolsv.exe file at setup\fxjssocm.exe, and creates a copy of the infected spoolsv.exe file as spooler.exe (this filename is not part of the default Windows XP installation).The timestamp for the msxml0r.dll library is set to be the same as system32\spoolss.dll; the system32\setup folder is also modified to have the same (usually older) timestamp as system32\root.Agent.DJGD also disables directory change notification signals to evade system changes.

Activity

The trojan-dropper's file includes encrypted URLs meant for downloading 3 other malicious files. The URLs are located at the end of the file; their absence would cause the trojan-dropper to fail. The trojan-dropper is intended to download files which use .GIF extensions, but are actually executable files. Once downloaded, the files would be dropped to the C:\Windows\Tasks using the following names:

  • svchost.gif
  • userinit.exe
  • wuauclt.exe

Fortunately, at the time of writing, the URLs are dead and the server is down.Once the trojan-dropper has executed and downloaded the malicious files, it is designed to delete its own file.

Date Created: -

Date Last Modified: -