Win32/Agent.SRE [Threat Name] go to Threat

Win32/Agent.SRE [Threat Variant Name]

Category trojan
Size 14848 B
Detection created Jun 02, 2011
Detection database version 6174
Aliases Worm.Win32.AutoRun.hvm (Kaspersky)
  W32/Autorun.worm.cj.virus (McAfee)
  Trojan:Win32/Autorun.L (Microsoft)
Short description

Win32/Agent.SRE is a trojan which tries to download other malware from the Internet.


Installation

The trojan is probably a part of other malware. When executed, the trojan copies itself into the following location:

  • %windir%\­comres.dll
Spreading on removable media

Win32/Agent.SRE is a trojan that spreads by copying itself into certain folders.


The trojan copies itself as a DLL library into existing folders containing *.exe file(s).


Its filename is the following:

  • comres.dll

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The trojan creates the following folders:

  • %removabledrive%\­RECYCLER\­S-1-5-21-453988542-493766162-455437253-500.{645FF040-5081-101B-9F08-00AA002F954E}

The trojan creates copies of the following files (source, destination):

  • %windir%\­help\­*.int, %removabledrive%\­RECYCLER\­S-1-5-21-453988542-493766162-455437253-500.{645FF040-5081-101B-9F08-00AA002F954E}\­*.int
Other information

The trojan moves the following files (source, destination):

  • %removabledrive%\­RECYCLER\­S-1-5-21-453988542-493766162-455437253-500.{645FF040-5081-101B-9F08-00AA002F954E}\­*.out, %windir%\­help\­*.out
  • %windir%\­help\­*.int, %removabledrive%\­RECYCLER\­S-1-5-21-453988542-493766162-455437253-500.{645FF040-5081-101B-9F08-00AA002F954E}\­*.int

The trojan searches for files with the following file extensions:

  • *.out

Only following folders are searched:

  • %windir%\­help\­

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file name and extension of the newly created file is derived from the original one.


An additional ".exe" extension is appended.


The file is then decrypted and executed.


The trojan then overwrites file content with random data.


The trojan may create the following files in the %windir%\help\ folder:

  • %computername%.rux

The trojan may create copies of the following files (source, destination):

  • %windir%\­help\­%computername%.rux, %removabledrive%:\­RECYCLER\­S-1-5-21-453988542-493766162-455437253-500.{645FF040-5081-101B-9F08-00AA002F954E}\­%computername%.int

The trojan contains an URL address.


It tries to download several files from the address.


These are stored in the following locations:

  • %windir%\­Help\­Tours\­%variable1%
  • %temp%\­avptray%variable2%.exe

The files are then executed. The HTTP protocol is used.


A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.