Home > Threat descriptions >

Trojan:W32/Agent.FVO

Classification

Category: Malware

Type: Trojan

Aliases: Trojan:W32/Agent.FVO

Summary


Trojans are malicious programs that pretend be to benign. Trojans do not replicate themselves.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Trojan:W32/Agent.FVO was sent in several spam runs in the country of Denmark. The email messages are in Danish and were sent to Danish email addresses.The email message claim to be from F-Secure support.The message appears as follows:

 From: supportupdate@f-secure.com 
Date: 26. August 2008 08:31 
Subject: Data er tillagt og sendt med denne meddelelse. Käre kunder! Regning Data er tillagt og sendt med denne meddelelse. Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve. Antispam er helt gratis for private brugere. 
Attachment: f-secure.rar

The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe that attempts to connect to a server located in Ukraine.The IP address to which Agent.FVO attempts to connect hosts a fake version of MP3.com.

File System Changes

Creates these files:

  • %windir%\system32\drivers\dcbcg.exe
Network Connections

Attempts to connect with HTTP to:

  • http://91.203.[REMOVED]/port/c.php?l=US&d=F5CAA48923FD4CCA8D239AE89BEAC0B9&ver=3.6.7&rvz1=2650&rvz2=0000091859
Registry Modifications

Sets these values:

  • HKCU\software\ewrew\dcbcg\main cid = F5CAA48923FD4CCA8D239AE89BEAC0B9
  • HKCU\software\ewrew\sample\maincid = 28280947699F4F27B32917B2C8654CE4
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run _ = c:\windows\system32\drivers\dcbcg.exe

Creates these keys:

  • HKCU\software\ewrew
  • HKCU\software\ewrew\sample
  • HKCU\software\ewrew\sample\main
  • HKCU\software\ewrew\dcbcg
  • HKCU\software\ewrew\dcbcg\main