Trojan:Win32/Agent.DX is a trojan that displays unsolicited advertisements when the user initiates a search request using Baidu.
Installation
Trojan:Win32/Agent.DX usually has the following file name:
- %ProgramFiles%\Intel\TurboBoost\svchost.exe
It modifies the registry so that it automatically runs every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "360try1"
With data: "%ProgramFiles%\Intel\TurboBoost\svchost.exe"
Note that a legitimate Windows file also named "svchost.exe" exists by default in the Windows system folder.
Payload
Steals system information
Trojan:Win32/Agent.DX tries to send your MAC address and computer name to the following remote server:
Displays advertisements
Trojan:Win32/Agent.DX also tries to download a list of advertisers and advertising content from the same server. At the time of this writing, the list contains the following:
- 10168mp3
- 1ndex2_pg
- 360safe_cb
- 380236866_pg
- 3g16_pg
- 51ebook
- 53080099
- 9991com
- ahjoe_dg
- antiarp_pg
- avantcn_dg
- baidu2009
- baidulocal
- bd1001_dg
- beyondsoft_pg
- china175
- clinks_pg
- cndow3_pg
- czpc8_pg
- daolian
- dudu2008_pg
- dwso_5_dg
- finvhuaw_cb
- funshion010_pg
- gctech_pg
- gjzcc_dg
- haijin0212_pg
- harry690_pg
- hbhyw_pg
- hongfeiyuyu_pg
- icafemedia_11_pg
- ichuner_2_pg
- iewz_dg
- index88_4_pg
- jianliang
- jsing
- ku23_pg
- kugoo2007_pg
- licenseonline_pg
- lin7163862_dg
- lqowen_4_pg
- luojianbin
- luojianbin_pg
- lvchunyan2005
- mm667_pg
- msvista_5_pg
- msvista_pg
- my0419e
- myie2dg
- p2pover_dg
- pubwin_4_pg
- request_4_pg
- request_pg
- richtb_pg
- richtech1_2_pg
- s001_dg
- sayh_3_dg
- sayh_4_dg
- sentry_1_pg
- site5566
- site888_pg
- sitehao123
- sitesowang
- snxs_003_pg
- snxs_006_pg
- sogouie_dg
- starballl_pg
- sucop_dg
- tjywmaxdg
- tom0
- txwb_pg
- tyyhxp_pg
- whsjsoft_pg
- wodewangzhan123
- wuciu_pg
- x3dmm667_pg
- yanbing2796_pg
- ylmf_1_pg
- ylmf_4_pg
- yokcom
- yulinboy_pg
- yxmaomao_pg
- yyd6188
- znmqdg
- zouwenye
Analysis by Zhitao Zhou
