Threat behavior
TrojanDownloader:Win32/Agent.ABC is a trojan that drops and installs additional malware.
Installation
When executed, TrojanDownloader:Win32/Agent.ABC displays the following dialog box:
If the user clicks 'Yes' the trojan continues its malicious routine. If 'No' is clicked, the trojan exits.
If it continues to execute, TrojanDownloader:Win32/Agent.ABC copies itself to the following locations:
The attributes on these files are set to hidden and system.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Installs Additional Malware/Backdoor Functionality
TrojanDownloader:Win32/Agent.ABC drops the following files, which comprise the trojan Backdoor:Win32/Prorat.O:
The attributes on these files are set to hidden, system and read only.
TrojanDownloader:Win32/Agent.ABC creates a new instance of itself as a suspended process, then injects a binary form of code from data.dat into itself. Once this is completed it resumes the process that now contains the backdoor component code and terminates itself.
Backdoor:Win32/Prorat.O may download and execute arbitrary files, including additional malicious files.
Prevention
