Trojan-Dropper.Win32.Agent.adi

Technical Details

This Trojan is designed to install other Trojan programs on the victim machine without the user's knowledge or consent. The Trojan itself is a Windows PE EXE file 21943 bytes in size, packed using FSG. The unpacked file is approximately 117KB in size.

When launched the Trojan installs the following file in the Windows system directory:

%System%\docent0.dll

Summary

• Backdoor. Provides cybercriminals with remote access to an infected computer

• Trojan-Banker. Steals confidential information from banks, financial institutions and payment systems

• Trojan-Dropper. Hidden installation of other malicious programs in the system

• Trojan. Performs actions that are typical of malicious programs

• Implements network activity

Technical details

The main file is a Windows application (PE EXE file). File size of 21943 bytes. The file was packed using a special compression utility. Compression can be used for a number of reasons, including for legitimate programs. However, virus writers frequently use it to bypass antivirus protection and to make it difficult for virus analysts to analyze compressed programs Packed FSG.

Malicious activity

Receives After a command from a cybercriminal, the program performs its malicious functions, for example, performing network attacks on internet sites, distributing spam and other malicious programs, or deleting a user's files. Those using this type of malicious program frequently make use of botnets (networks of infected computers which cybercriminals control centrally in order to carry out malicious activities.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792003remote commands from cybercriminal:

via open Opens one or more network ports on the infected computer and listens on that port waiting for someone to connect. As a rule, the malicious program gives the cybercriminal access to the infected computer only after authenticity verificationnetwork ports

• 41557
• 4040

Steals confidential user information from A malicious program designed to steal user information related to banking and electronic payment systems and bank cards. The information is sent to a cybercriminal via email, ftp, the web or other methods.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792037the following banks, financial institutions, payment systems:

• Halifax PLC
• HSBC Group
• Wells Fargo Bank
• NetBank
• Bank Of America
• CommonWealthBank
• Cahoot Bank
• Smile Internet Bank
• Data Processing Center and IT-Service Provider
• Barclays Bank PLC
• Deutsche Bank
• Dresdner Bank
• Alliance & Leicester
• e-gold
• Royal Bank of Scotland (RBS)
• Citibank
• Lloyds TSB Bank
• Noris Bank

Creates files on the victim machine which will be detected by Kaspersky Anti-Virus as:

• Trojan-Spy.Win32.Goldun.ev

Ensures subsequent Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of installed files:

by writing to autorun keys in the system registry

using system services

Injects its code into the specific processes

Connects to specific Internet addresses

Other activities

Modifies certain system registry keys

Deletes specific files onfrom the victim machine