English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.ay

Detected Jul 25 2005 08:01 GMT
Released Sep 29 2005 02:09 GMT
Published Jul 25 2005 08:01 GMT

Technical Details

This Trojan program has Adware functionality. It is 76800 bytes in size, packed using UPX.

When launching, it copies itself to %WINDIR%\System32 under a random name. It registers this file in the system registry to ensure that the file will be launched each time Windows is rebooted on the victim machine.

It is able to update itself over the Internet.

The Trojan will synchronize itself with the following NTP servers in order to check the time.

clock.fmt.he.net
decimal.lib.ci.phoenix.az.us
dewey.lib.ci.phoenix.az.us
fartein.ifi.uio.no
hora.oxixares.com
ntp.cais.rnp.br
ntp.cgi.cz
ntp.cpsc.ucalgary.ca
ntp.doubleukay.co
ntp.ewha.net
ntp.globe.cz
ntp.hiway.com.br
ntp.karpo.cz
ntp.massayonet.com.br
ntp.maths.tcd.ie
ntp.mfa.gr
ntp.obspm.fr
ntp.pop-pr.rnp.br
ntp.saard.net
ntp.tuxfamily.net
ntp.ucsd.edu
ntp.ucsd.edu
ntp.ufes.br
ntp.univ-lyon1.fr
ntp.via.ecp.fr
ntp1.belbone.be
ntp1.cmc.ec.gc.ca
ntp1.contactel.cz
ntp1.pucpr.br
ntp1.theinternetone.net
ntp1.tuxfamily.net
ntp2.belbone.be
ntp2.contactel.cz
ntp2.tuxfamily.net
ntps.net4u.it
tack.fh-augsburg.de
tick.fh-augsburg.de
tick.keso.fi
tick.nap.com.ar
tick.utoronto.ca
time.alcanet.no
time.chu.nrc.ca
time.nrc.ca
time.sinectis.com.ar
timelord.uregina.ca
tock.keso.fi
tock.nap.com.ar
tock.utoronto.ca

It tracks user actions and harvests a range of information.

The program contains the following text strings:

"callinghome.biz"
"startwatcher"
"OfferDrv-{F395B5B4-1837-4e79-AD7B-7287043E4DBC}"

Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.ay (Kaspersky Lab) is also known as:

  • Trojan: Downloader-ABS (McAfee)
  • Troj/Agent-EE (Sophos)
  • Trojan.Agent-10406 (ClamAV)
  • Adware/Transponder (Panda)
  • W32/Agent.SW (FPROT)
  • Trojan:Win32/Agent.CV (MS(OneCare))
  • Adware.CallingHome (DrWeb)
  • Trojan.Agent.AY (BitDef7)
  • Win32:Adware-gen [Adw] (AVAST)
  • Trojan.Win32.Agent (Ikarus)
  • Generic7.WHG (AVG)
  • Adware.Aurora (NAV)
  • Trojan.Win32.Agent.ay [AVP] (FSecure)