Home / malware Trojan-Downloader:W32/Agent.IDO
First posted on 05 December 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:W32/Agent.IDO.
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
right]The trojan-downloader Agent.IDO drops the following files onto the system:
- %windir%system32win.exe
- %ProgramFiles%Microsoft Commomsvchost.exe
The svchost.exe file is detected as Trojan-Downloader:W32/Agent.IDP.
Payload
The downloading component of this trojan-downloader is actually another malware, Agent.IDP, which is part of its payload.
Once dropped, Agent.IDP adds the following autorun key to the Windows registry, so that it will run at each subsequent startup:
- Key: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer
Value: Debugger
Data: %Program Files%Microsoft Commonsvchost.exe
When executed, Agent.IDP attempts to connect to the following websites:
- http://univnext.cn/ld.php?v=1&rs=[...]=1&uid=1
- http://218.93.202.102/ld.php?v=1&rs=[...]=1&uid=1
- http://whv67.cn/ld.php?v=1&rs=[...]=1&uid=1
Fortunately, these websites are currently not operational.Last update 05 December 2008
