Threat behavior
TrojanDropper:Win32/Agent.FO is a trojan that reports its installation to a remote server, captures local system information and monitors web browsing activities.
Installation
When run, the trojan copies itself as the following:
%TEMP%\incognito.exe
%windir%\System32\newuser324\server.exe
The trojan creates the following mutexes:
-
"_x_X_UPDATE_X_x_"
-
"_x_X_PASSWORDLIST_X_x_"
-
"_x_X_BLOCKMOUSE_X_x_"
-
"***MUTEX***"
-
"***MUTEX***_PERSIST"
It displays a graphical user interface such as the one shown below:
The registry is modified to run the trojan at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"
With data: "%windir%\System32\newuser324\server.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "HKLM"
With data: "%windir%\System32\newuser324\server.exe"
Payload
Communicates with a remote server
The trojan reports its installation by connecting to the remote server "james1990.no-ip.biz" using TCP port 81. The trojan also opens UDP port 1053.
Captures system information
The trojan captures system information and stores data in log files as the following:
%TEMP%\
xx--xx--xx.txt
%TEMP%\xxx.xxx
%TEMP%\uuu.uuu
%USERPROFILE%\Application Data\logs.dat
Monitors web browsing
TrojanDropper:Win32/Agent.FO injects a remote thread into Internet Explorer to monitor web browsing activity.
Analysis by Jaime Wong
Prevention