Home / malwarePDF  

Trojan.Agent.AY


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Agent.AY is also known as Troj/Dloader-WC, Trojan.Win32.Agent.ay, Trojan.Downloader.3256, Win32/Agent.AY.

Explanation :

Has Adware functionality.
When launched, copies itself to %WINDIR%System32 under a random name and registers this file in the system registry to ensure that the file will be launched each time Windows is rebooted.

Downloads a file from a preconfigured location an executes it.
Injects code into another process in order to restart itself if it is terminated.

It is able to update itself over the Internet

The Trojan will synchronize itself with the following NTP servers in order to check the time
clock.fmt.he.net
dewey.lib.ci.phoenix.az.us
decimal.lib.ci.phoenix.az.us
time.alcanet.no
fartein.ifi.uio.no
ntp1.theinternetone.net
ntp.doubleukay.com
ntp.ewha.net
ntps.net4u.it
ntp.maths.tcd.ie
ntp.mfa.gr
ntp.via.ecp.fr
ntp.univ-lyon1.fr
ntp2.tuxfamily.net
ntp1.tuxfamily.net
ntp.tuxfamily.net
ntp.obspm.fr
tock.keso.fi
tick.keso.fi
hora.oxixares.com
tick.fh-augsburg.de
tack.fh-augsburg.de
ntp2.contactel.cz
ntp1.contactel.cz
ntp.karpo.cz
ntp.globe.cz
ntp.cgi.cz
tock.utoronto.ca
timelord.uregina.ca
time.nrc.ca
time.chu.nrc.ca
tick.utoronto.ca
ntp1.cmc.ec.gc.ca
ntp.cpsc.ucalgary.ca
ntp1.pucpr.br
ntp.ufes.br
ntp.pop-pr.rnp.br
ntp.massayonet.com.br
ntp.hiway.com.br
ntp.cais.rnp.br
ntp2.belbone.be
ntp1.belbone.be
tock.nap.com.ar
time.sinectis.com.ar
tick.nap.com.ar
ntp.saard.net
ntp.ucsd.edu

Contains strings
callinghome.biz
OfferDrv-{F395B5B4-1837-4e79-AD7B-7287043E4DBC}

It tracks user actions an harvests a range of information.

Last update 21 November 2011

 

TOP