Threat description




Trojans are malicious programs that pretend be to benign. Trojans do not replicate themselves.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Trojan:W32/Agent.FVO was sent in several spam runs in the country of Denmark. The e-mail messages are in Danish and were sent to Danish e-mail addresses.The e-mail message claim to be from F-Secure support.The message appears as follows:

Date: 26. August 2008 08:31 
Subject: Data er tillagt og sendt med denne meddelelse. Käre kunder! Regning Data er tillagt og sendt med denne meddelelse. Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve. Antispam er helt gratis for private brugere. 
Attachment: f-secure.rar

The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe that attempts to connect to a server located in Ukraine.The IP address to which Agent.FVO attempts to connect hosts a fake version of

File System Changes

Creates these files:

  • %windir%\system32\drivers\dcbcg.exe
Network Connections

Attempts to connect with HTTP to:

  • http://91.203.[REMOVED]/port/c.php?l=US&d=F5CAA48923FD4CCA8D239AE89BEAC0B9&ver=3.6.7&rvz1=2650&rvz2=0000091859
Registry Modifications

Sets these values:

  • HKCU\software\ewrew\dcbcg\main cid = F5CAA48923FD4CCA8D239AE89BEAC0B9
  • HKCU\software\ewrew\sample\maincid = 28280947699F4F27B32917B2C8654CE4
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run _ = c:\windows\system32\drivers\dcbcg.exe

Creates these keys:

  • HKCU\software\ewrew
  • HKCU\software\ewrew\sample
  • HKCU\software\ewrew\sample\main
  • HKCU\software\ewrew\dcbcg
  • HKCU\software\ewrew\dcbcg\main

F-Secure Anti-Virus detects this malware with the following updates:

Database: 2008-08-26_06

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info