Win32/Agent.SFM [Threat Name] go to Threat
Win32/Agent.SFM [Threat Variant Name]
|Detection created||Feb 05, 2011|
|Signature database version||5849|
The trojan collects information used to access certain sites. The trojan attempts to send gathered information to a remote machine.
When executed the trojan drops in folder %system% the following file:
A string with variable content is used instead of %random1% .
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
- "AppInit_DLLs" = "%system%\%random1%.dll"
- "LoadAppInit_DLLs" = 1
This way the trojan ensures that the libraries with the following names will be injected into all running processes:
The trojan creates the following files:
The trojan collects various information related to the operating system.
The following information is collected:
- the list of installed software
- antivirus software detected on the affected machine
- network adapter information
- volume serial number
The trojan collects sensitive information when the user browses certain web sites.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- block access to specific websites
- monitor network traffic
- modify network traffic
The trojan may delete files stored in the following folders:
The trojan may create the following files:
A string with variable content is used instead of %random2% .
The trojan hooks the following Windows APIs:
- recv (Ws2_32.dll)
- send (Ws2_32.dll)
- WSASend (Ws2_32.dll)
- WSARecv (Ws2_32.dll)
- closesocket (Ws2_32.dll)
- WSASocketW (Ws2_32.dll)
- connect (Ws2_32.dll)
- WSAConnect (Ws2_32.dll)
- select (Ws2_32.dll)
- WSAGetOverlappedResult (Ws2_32.dll)
- WSASyncSelect (Ws2_32.dll)
- ioctlsocket (Ws2_32.dll)
- WSAEnumNetworkEvents (Ws2_32.dll)
- WSAEventSelect (Ws2_32.dll)