MSIL/Agent.DT [Threat Name] go to Threat

MSIL/Agent.DT [Threat Variant Name]

Category trojan,worm
Size 189440 B
Detection created Dec 29, 2012
Signature database version 7843
Aliases Trojan.Win32.Agentb.aaew (Kaspersky)
  Trojan.Klovbot (Symantec)
Short description

MSIL/Agent.DT is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • c:\­ProgramFileas\­windowsdeafender.exe

The worm creates the following files:

  • c:\­ProgramFileas\­winlogoon.exe (98816 B, MSIL/Agent.DT)
  • c:\­ProgramFileas\­svchoost.exe (58880 B, MSIL/Agent.DT)
  • c:\­ProgramFileas\­deleter.exe (28160 B, MSIL/Agent.DT)

The files are then executed.


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winlogoon"  = "c:\­ProgramFileas\­winlogoon.exe"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Yeni Klasorr.exe

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.

Information stealing

The worm searches removable drives for files with the following file extensions:

  • .doc
  • .docx

When the worm finds a file matching the search criteria, it creates its duplicate.


The files are saved into the following folder:

  • c:\­ProgramFileas\­

The worm attempts to send the found files to a remote machine.


The worm sends the information via e-mail. The worm contains a list of (1) addresses.

Other information

The worm connects to the following addresses:

  • www.google.com

The worm may delete the following files:

  • c:\­ProgramFileas\­*.doc
  • c:\­ProgramFileas\­*.docx

Please enable Javascript to ensure correct displaying of this content and refresh this page.