Trojan-Dropper:W32/Agent.DJGD

Classification

Malware

Trojan-Dropper

W32

Trojan-Dropper:W32/Agent.DJGD

Summary

This type of trojan contains one or more malicious programs, which it will secretly install and execute.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Trojan-Dropper:W32/Agent.DJGD is dropped by Exploit:W32/XDropper.BR and downloads malicious files onto the infected system. At the time of writing, the server Agent.DJGD connects to is down.

Execution

On execution, Agent.DJGD displays fake system update messages:

Meanwhile, the malware targets the printer spooler service as launchpoint, infecting the spoolsv.exe by inserting a malicious import library (msxml0r.dll). The malware saves a copy of the original, uninfected spoolsv.exe file at setup\fxjssocm.exe, and creates a copy of the infected spoolsv.exe file as spooler.exe (this filename is not part of the default Windows XP installation).The timestamp for the msxml0r.dll library is set to be the same as system32\spoolss.dll; the system32\setup folder is also modified to have the same (usually older) timestamp as system32\root.Agent.DJGD also disables directory change notification signals to evade system changes.

Activity

The trojan-dropper's file includes encrypted URLs meant for downloading 3 other malicious files. The URLs are located at the end of the file; their absence would cause the trojan-dropper to fail. The trojan-dropper is intended to download files which use .GIF extensions, but are actually executable files. Once downloaded, the files would be dropped to the C:\Windows\Tasks using the following names:

  • svchost.gif
  • userinit.exe
  • wuauclt.exe

Fortunately, at the time of writing, the URLs are dead and the server is down.Once the trojan-dropper has executed and downloaded the malicious files, it is designed to delete its own file.