Home / malware Trojan.Agent.APDA
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Agent.APDA is also known as OneCare:, Trojan:Win32/Oficla.M Sunbelt:, Trojan.Win32.Sasfis.a.
Explanation :
This malware is better known (and belongs to) the Oficla trojans family; it comes with a familiar icon that will trick the user into thinking it is a Word document. When executed, this malware will first drop a new file inside %temp% folder, named "[2 random digits].tmp". This is in fact a .dll file (dynamic link library), and after dropping it the malware will inject it into a new instance of svchost.exe. Another copy of this .dll file will also be dropped inside %system% directory, as "lgou.rlo"; this one will be also registered to startup, by modifying the registry value: HKEY_LOCAL_MACHINEMicrosoftWindows NTWinlogonshell, by adding "rundll32.exe lgou.rlo mrtiyyb" to it (this way, after every reboot, the malicious .dll will get loaded and executed). After dropping these files, the malware will erase it's own executable file in order to cover it's tracks.
The .dll file is in fact a downloader (curently detected as Trojan.Downloader.Agent.ABBL); it will try to download and execute files from http://post[removed].ru and perform additional malicious tasks.
%temp% reffers to the temporary folder.
%system% reffers to the system folder (usually c:windowssystem32)Last update 21 November 2011
