Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Agent.ULL

Overview

Threat Risk MEDIUM MEDIUM
Destructivity HIGH HIGH
Payload Installs other malware utilities as well as child pornography.
Detection files published 09 Mar 2006 03:00:00
Description created 10 Mar 2006 05:21:00
Description updated 10 Mar 2006 05:21:00
Malware type TROJAN
Alias Trojan-Dropper.Win32.Agent.yf
Spreading mechanism
Summary None

W32/Agent.ULL

Spreading

The trojan does not spread by itself. It is likely that it has been manually distributed in fora where people would download and run it - f.ex. in file sharing networks.

File system changes:

\\TEMP\\childporn.wmv.
\\win32.exe.
\\msits.exe.
\\cmd32.exe
loadadv713.exe.
\\kernels64.exe

The files installed are:

win32.exe, kernels64.exe : Installers for Tibs, BraveSentry and other malware. Tibs is a downloader for pornographic adware, BraveSentry is a scam-based "AntiSpyware" utility.
msits.exe, cmd32.exe : Downloads SpySheriff and other downloaders. SpySheriff is another scam-based "AntiSpyware" utility.
loadadv713.exe : Another downloader

This is a quite common scenario - downloaders that download more downloaders which download more downloaders - it goes on and on.

Payload Details

The trojan installs a number of files in addition to the pornographic movie. These files are mostly downloaders that fetch other malicious ad- and spyware utilities. While this happens, the trojan extracts and displays a WMV movie ("childporn.wmv") involving sex with a clearly underage girl.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10