Trojan:W32/Agent.DXH or Trojan.Win32.Agent.dxh contains an encrypted payload. Agent.DXH appears to be a component of a malware that targets Italian computer users.
Agent.DXH is installed on the system when the file is executed with "INSTALL" as the parameter.When this malware is installed on the system it will traverse the %regrun% registry of HKLM and HKCU.If an entry is existing, it will replace the file with the copy of itself and put the original file into a "bak" folder at the location of the original file. By performing this routine, the malware is able to automatically start itself during the system start.This malware is a downloader that tries to connect to the following domains:
Notes: The domain called "doginhispen" points to a host in Sweden; The domain registration is through an anonymity service in the USA; WhoIs services list 70% of the site's visitors as being from Italy; The URL "a.doginhispen.com" displays only message "It Works!" via a Web browser; The domain called "skitodayplease" was not online during analysis. Agent.DXH may also contact this link as part of its infection routine:
Note: doginhispen.com and skitodayplease.com resolve to 126.96.36.199.The downloaded file is decrypted and saved in the windows temporary folder with a random filename. Once the download and decryption is complete the file will be executed.This malware may also update an existing infection by supplying the malware with a parameter of "UPDATE".To clean the system, the computer user may need to retrieve the original file pointed to by the registry entry in the "bak" folder where it was saved by the malware.Additional Info:Agent.DXH may create a file called abc123.pid. This is the file where it saves it ProcessID. The entry is retrieved when the malware will update itself.
Date Created: -
Date Last Modified: -