MSIL/Agent.DT [Threat Name] go to Threat
MSIL/Agent.DT [Threat Variant Name]
|Detection created||Dec 29, 2012|
|Signature database version||7843|
MSIL/Agent.DT is a worm that spreads via removable media.
When executed, the worm copies itself into the following location:
The worm creates the following files:
- c:\ProgramFileas\winlogoon.exe (98816 B, MSIL/Agent.DT)
- c:\ProgramFileas\svchoost.exe (58880 B, MSIL/Agent.DT)
- c:\ProgramFileas\deleter.exe (28160 B, MSIL/Agent.DT)
The files are then executed.
In order to be executed on every system start, the worm sets the following Registry entry:
- "winlogoon" = "c:\ProgramFileas\winlogoon.exe"
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
- Yeni Klasorr.exe
The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.
The worm searches removable drives for files with the following file extensions:
When the worm finds a file matching the search criteria, it creates its duplicate.
The files are saved into the following folder:
The worm attempts to send the found files to a remote machine.
The worm sends the information via e-mail. The worm contains a list of (1) addresses.
The worm connects to the following addresses:
The worm may delete the following files: