Win32/Agent.ODG [Threat Name] go to Threat

Win32/Agent.ODG [Threat Variant Name]

Category trojan,virus
Size 57370 B
Detection created Sep 03, 2008
Detection database version 3410
Aliases Rootkit.Win32.Agent.czj (Kaspersky)
  Backdoor.Tidserv (Symantec)
  Generic.FakeAlert.d (McAfee)
Short description

Win32/Agent.ODG is a trojan used for delivery of unsolicited advertisements. The trojan acquires data and commands from a remote computer or the Internet. It uses techniques common for rootkits.

Installation

When executed, the trojan drops one of the following files in the %system% folder:

  • TDSSl.dll (17408 B)
  • tdssc2cf.dll (46620 B)
  • tdssadw.dll (32768 B)
  • tdssmain.dll (10240 B)
  • tdssserf.dll (12288 B)

The libraries are loaded and injected into the following processes:

  • svchost.exe
  • iexplorer.exe

The following file is dropped into the %system%\drivers\ folder:

  • TDSSserv.sys (36352 B)

Installs the following system drivers:

  • TDSSserv.sys

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­TDSSserv]
    • "Start" = %number1%
    • "Type" = %number2%
    • "ImagePath" = "%system%\­drivers\­TDSSserv.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­TDSSserv.sys]
    • "Driver" = "%system%\­drivers\­TDSSserv.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­TDSSserv.sys]
    • "Driver" = "%system%\­drivers\­TDSSserv.sys"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS\­version]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS\­connections]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS\­disallowed]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS\­injector]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS\­trusted]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­TDSS\­registry]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­featurecontrol\­feature_enable_ie_compression]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­tdssData]
    • "affid" = %variable1%
    • "subid" = %variable2%
    • "control" = %variable3%
    • "prov" = %variable4%
    • "googleadserver" = %variable5%
    • "flagged" = %variable6%

A string with variable content is used instead of %number1-2%, %variable1-6% .

Information stealing

Win32/Agent.ODG is a trojan that steals sensitive information.


The following information is collected:

  • a list of recently visited URLs

The trojan can send the information to a remote machine.

Other information

The trojan blocks access to the following sites:

  • virustorjunta.net
  • spywarefri.dk
  • malekal.com
  • linhadefensiva.org
  • hijackthis.nl
  • pcmasters.deforum
  • antispywareoffensief.nl
  • hijackthis-forum.de
  • bluemedicine.be
  • cexx.org
  • securitycadets.com
  • temerc.com
  • aumha.org
  • bfccomputers.com
  • majorgeeks.com
  • gladiator-antivirus.com
  • atribune.org
  • newbie.org
  • webuser.co.uk
  • thatcomputerguy.us
  • security-forums.com
  • cybertechhelp.com
  • ibforums.com
  • maddoktor2.com
  • d-a-l.com
  • techguy.org
  • whatthetech.com
  • spybot.info
  • dslreports.com
  • thespykiller.co.uk
  • dellcommunity.com
  • spywareinfo.com
  • geekstogo.com
  • castlecops.com
  • techsupportforum.com
  • virusscan
  • x.akamai.net
  • upgrade.bitdefender.com
  • free-av.com
  • bleepingcomputer.com
  • avg.com
  • viruslist
  • besttechie.net
  • pchell.com
  • layeredtech.com
  • estdomains.com
  • hqhost.net
  • hosting.ua
  • lavasoftusa
  • moosoft.com
  • zonelabs
  • diamondcs
  • gdata.de
  • symantecliveupdate
  • pandasoftware
  • noadware.net
  • eset.com
  • secuser.model-fx
  • windowsupdate.microsoft.com
  • update.symantec.com
  • tinysoftware.com
  • symantecliveupdate.com
  • stompsoft.com
  • spybot.safer-networking.de
  • sygate.com
  • symantec.com
  • security.kolla.de
  • malwarebytes.org
  • safer-networking.de
  • phx.corporate-ir.net
  • norton.com
  • networkassociates.com
  • nai.com
  • my-etrust.com
  • msdn.microsoft.com
  • kaspersky.ru
  • virustotal
  • grisoft.com
  • sophos.com
  • kasperskylabs.com
  • kaspersky.com
  • f-secure.com
  • enigmasoftwaregroup.com
  • kaspersky-labs.com
  • download.microsoft.com
  • mcafee.com
  • grisoft.cz
  • ca.com
  • avp.ru
  • avp.com
  • avp.ch
  • armor2net.com
  • atwola.com
  • agnitum.com
  • eset
  • nod32
  • avast
  • beyondlogic.org
  • superantispyware.com
  • comodo.com
  • javacoolsoftware.com
  • lavasoft
  • trendsecure.com
  • kerio.com
  • zonealarm.com
  • zonelabs.com
  • pandasoftware.com
  • update.microsoft.com
  • gmer.net
  • trendmicro.com
  • auditmypc.com
  • grc.com
  • pcflank.com
  • internetworldstats.com
  • spywareinfoforum.com
  • arcabit.com
  • spywarewarrior.com
  • malwareremoval.com
  • 247fixes.com
  • avira.com
  • boardreader.com
  • prevx.com
  • peb.pl
  • pcpitstop.com
  • techweb.com
  • forums.whatthetech.com
  • support.microsoft.com
  • suggestafix.com
  • forum.aumha.org
  • forums.techguy.org
  • safer-networking.org
  • lavasoft.com
  • lavasoftsupport.com
  • bitdefender
  • pctools.com
  • drweb
  • yandex-team.ru
  • forospyware.com
  • zango.com
  • windowsupdate.com

The trojan terminates specific running processes.


The trojan alters the behavior of the following processes:

  • msiserver

The user may be redirected to one of the following Internet web sites:

  • compalusa.com
  • dojo.www.
  • clubgamecasino.com
  • wikiei.com
  • asiuoqgusdbaksd.com
  • analitic-checks.google.com

The trojan tries to download and execute several files from the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


The trojan hides files and Registry entries which contain one of the following strings in their name:

  • TDSS

Please enable Javascript to ensure correct displaying of this content and refresh this page.