Trojan.Win32.Agent.ay

Technical Details

This Trojan program has Adware functionality. It is 76800 bytes in size, packed using UPX.

When launching, it copies itself to %WINDIR%\System32 under a random name. It registers this file in the system registry to ensure that the file will be launched each time Windows is rebooted on the victim machine.

It is able to update itself over the Internet.

The Trojan will synchronize itself with the following NTP servers in order to check the time.

clock.fmt.he.net
decimal.lib.ci.phoenix.az.us
dewey.lib.ci.phoenix.az.us
fartein.ifi.uio.no
hora.oxixares.com
ntp.cais.rnp.br
ntp.cgi.cz
ntp.cpsc.ucalgary.ca
ntp.doubleukay.co
ntp.ewha.net
ntp.globe.cz
ntp.hiway.com.br
ntp.karpo.cz
ntp.massayonet.com.br
ntp.maths.tcd.ie
ntp.mfa.gr
ntp.obspm.fr
ntp.pop-pr.rnp.br
ntp.saard.net
ntp.tuxfamily.net
ntp.ucsd.edu
ntp.ucsd.edu
ntp.ufes.br
ntp.univ-lyon1.fr
ntp.via.ecp.fr
ntp1.belbone.be
ntp1.cmc.ec.gc.ca
ntp1.contactel.cz
ntp1.pucpr.br
ntp1.theinternetone.net
ntp1.tuxfamily.net
ntp2.belbone.be
ntp2.contactel.cz
ntp2.tuxfamily.net
ntps.net4u.it
tack.fh-augsburg.de
tick.fh-augsburg.de
tick.keso.fi
tick.nap.com.ar
tick.utoronto.ca
time.alcanet.no
time.chu.nrc.ca
time.nrc.ca
time.sinectis.com.ar
timelord.uregina.ca
tock.keso.fi
tock.nap.com.ar
tock.utoronto.ca

It tracks user actions and harvests a range of information.

The program contains the following text strings:

"callinghome.biz"
"startwatcher"
"OfferDrv-{F395B5B4-1837-4e79-AD7B-7287043E4DBC}"