Home / malware Trojan-Downloader:W32/Agent.ICF
First posted on 06 February 2008.
Source: SecurityHomeAliases :
Trojan-Downloader:W32/Agent.ICF is also known as Trojan-Downloader.Win32.Agent.icf.
Explanation :
Trojan-Downloader:W32/Agent.ICF attempts to download files.
It also drops files and writes to the system registry.
Attention: %windir% represents the default Windows directory.
Creates these files:
- %windir%system32dx6vcl.dll
- %windir%system32
otepod.exe - %windir%system32disk.ico
- %windir%system32xtemp1.exe
- %windir%system32xtemp2.exe
Replaces the following file with a copy of itself:
- %windir%system32
svp.exe
Note: The file called rsvp.exe is a Windows system file. Deletion of the malware file during disinfection will require the repair of the system file.
Creates these directories:
- %windir%Webwebpf
- %windir%Webwebdc
- %windir%Webwebpt
- %windir%Webwebhp
- %windir%Webwebxs
Process Changes
Creates these processes:
- %windir%system32
svp.exe
Uses these temporary processes:
- %windir%system32xtemp1.exe
- %windir%system32xtemp2.exe
These modules were loaded into other processes:
- %windir%system32dx6vcl.dll
Loaded into %windir%system32svchost.exe
Creates these mutexes:
- c:!windows!system32!config!systemprofile
!local settings!temporary internet files!content.ie5! - c:!windows!system32!config!systemprofile!cookies!
- c:!windows!system32!config!systemprofile!local settings!history!history.ie5!
Network Connections
Attempts to download files from:
- http://www.why001.com/[Removed].exe
- http://www.koreaara.com/down/[Removed].rar
- http://63.245.209.10/[Removed].dat
Registry Modifications
Sets these values:
- HKLMSystemCurrentControlSetControlSession ManagerSFC
ProgramFilesDir = C:Program Filesx174 - HKLMSystemCurrentControlSetControlSession ManagerSFC
CommonFilesDir = C:Program FilesCommon FilesurrentControlSet
ControlSession Manager - HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.txt
Application = notepod.exe - HKLMSystemCurrentControlSetServicesRSVP
Type = 00000010 - HKLMSystemCurrentControlSetServicesRSVP
Start = 00000002 - HKLMSystemCurrentControlSetServicesRSVP
ErrorControl = 00000000 - HKCUSoftwareMicrosoftWindows ScriptSettings
JITDebug = 00000000
Creates these keys:
- HKLMSoftwareClassesApplications
otepod.exe - HKLMSoftwareClassesApplications
otepod.exeshell - HKLMSoftwareClassesApplications
otepod.exeshellopen - HKLMSoftwareClassesApplications
otepod.exeshellopencommand - HKCUSoftwareMicrosoftWindows Script
- HKCUSoftwareMicrosoftWindows ScriptSetting
Additional Details
Notepod:
Agent.ICF creates a file called notepod.exe and sets a registry value to associate .TXT files with it. If the system user opens a text file notepod.exe will be launched, which in turn calls on notepad.exe. Notepad.exe is a legitimate Windows file.
The launching of notepod.exe will once again execute the trojan-downloader mechanisms.
Automatic Updates:
Agent.ICF attempts to delete the Automatic Updates service. The Automatic Update service enables the download and installation of Windows updates.
Autorun Features:
Agent.ICF also contains autorun features. See the Worm/W32:Autorun description for additional details. The autorun.inf file will copy to the root of a removable drive. Under a folder called recycled there is a file called cleardisk.pif. The PIF file a copy of the trojan-downloader.
Last update 06 February 2008