Home / malware Worm:W32/Agent.T
First posted on 06 April 2007.
Source: SecurityHomeAliases :
Worm:W32/Agent.T is also known as Trojan.Downloader.Agent.ASH, W32/Generic.m, Trojan.Downloader-1419, Worm.Win32.Agent.t.
Explanation :
Worm:W32/Agent.T copies itself to the Windows folder and downloads files from several websites and executes them.
Upon execution, it drops the following files:
- %windir%yqqty.exe - A copy of itself.
It modifies the following autostart registry entry to enable its automatic execution every system boot-up:
- [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
Userinit=%windir%system32userinit.exe,%windir%yqqty.exe
Note: The default value is Userinit=%windir%system32userinit.exe
It may drop a copy of itself to several drives. The Autorun.inf file, which is a configuration file used to automatically execute the malware when a directory or drive is being opened, is also dropped together with the main executable file.
Agent.T also downloads the following files from the Internet:
- http://www.sinavip.net/A[REMOVED].asp
- http://www.sinavip.net/L[REMOVED].txt
It then saves the files to the Windows directory using the following filenames:
- listsas.txt
- saslogww.txt
One of the text files contains the following download sites:
- http://www.aame.cn/k[REMOVED].rar
- http://www.aame.cn/c[REMOVED].rar
The downloaded files are also trojan-downloaders that are now detected as Trojan-Downloader:W32/Small.EJW and Trojan-Downloader:W32/Small.ELM.
Last update 06 April 2007