Home / malware Trojan-Downloader:W32/Agent.HSM
First posted on 08 October 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:W32/Agent.HSM.
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
right]This trojan may be downloaded from a malicious website. It may also arrive as an e-mail attachment.
Known e-mail subjects associated with this malware are:
- Really cool photos
- Exclusive photos, you'll be happy
- Spam: Great photos for you
- Great photos for you
- The best photos for you
Installation
During installation, the trojan will drop a copy of itself to:
- %systemroot%system32
s32net.exe
It also sets a launch point with the following registry key:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
rs32net = %systemroot%system32
s32net.exe
It will then try to launch svchost.exe, and injects its code by replacing the launched svchost.exe code.
Execution
Upon execution, this malware will attempt to connect to the following websites:
- http://astana1988.[...]hostia.com
- http://astana.[...]fire.net
It then attempts to download additional files from the following IP addresses:
- 91.203.92.7
- 208.66.195.16
- 208.66.195.71
- 208.66.195.232
- 208.66.195.240
- 216.195.55.50
- 216.195.56.22
- 209.66.122.238
As of this writing, these IP addresses are down and are not available.Last update 08 October 2008
