Win32/Agent.SFM [Threat Name] go to Threat

Win32/Agent.SFM [Threat Variant Name]

Category trojan
Size 102400 B
Detection created Feb 05, 2011
Detection database version 5849
Short description

The trojan collects information used to access certain sites. The trojan attempts to send gathered information to a remote machine.

Installation

When executed the trojan drops in folder %system% the following file:

  • %random1%.dll

A string with variable content is used instead of %random1% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­%random1%.dll"
    • "LoadAppInit_DLLs" = 1

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • %system%\­%random1%.dll

The trojan creates the following files:

  • %commonappdata%\­cf
Information stealing

The trojan collects various information related to the operating system.


The following information is collected:

  • the list of installed software
  • antivirus software detected on the affected machine
  • network adapter information
  • volume serial number

The trojan collects sensitive information when the user browses certain web sites.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • block access to specific websites
  • monitor network traffic
  • modify network traffic

The trojan may delete files stored in the following folders:

  • %cookies%
  • %internetcache%

The trojan may create the following files:

  • %temp%\­flash_player_update.exe
  • %commonappdata%\­ur
  • %commonappdata%\­ur%random2%

A string with variable content is used instead of %random2% .


The trojan hooks the following Windows APIs:

  • recv (Ws2_32.dll)
  • send (Ws2_32.dll)
  • WSASend (Ws2_32.dll)
  • WSARecv (Ws2_32.dll)
  • closesocket (Ws2_32.dll)
  • WSASocketW (Ws2_32.dll)
  • connect (Ws2_32.dll)
  • WSAConnect (Ws2_32.dll)
  • select (Ws2_32.dll)
  • WSAGetOverlappedResult (Ws2_32.dll)
  • WSASyncSelect (Ws2_32.dll)
  • ioctlsocket (Ws2_32.dll)
  • WSAEnumNetworkEvents (Ws2_32.dll)
  • WSAEventSelect (Ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.