Win32/TrojanDownloader.Agent.ACF [Threat Name] go to Threat

Win32/TrojanDownloader.Agent.ACF [Threat Variant Name]

Category trojan
Size 773632 B
Detection created Feb 02, 2006
Detection database version 10481
Aliases Trojan-Downloader.Win32.Agent.hfal (Kaspersky)
  SecurityRisk.Downldr (Symantec)
  Adware/InstallRex.73153 (Avira)
Short description

Win32/TrojanDownloader.Agent.ACF is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %malwarefilepath% /schedule /profile "%currentfolder%\­%variable1%.ini"

This causes the trojan to be executed on every system start.


The trojan creates the following file:

  • %temp%\­%variable2%.tmp (283136 B, Win32/TrojanDownloader.Agent.ACF)

A string with variable content is used instead of %variable1-2% .


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­S-%id%]
    • "UninstallString" = "%malwarefilepath% /uninstall"
    • "SilentUninstall" = "%malwarefilepath% /uninstall"
    • "DisplayName" = "%malwarefilename%"
    • "URLInfoAbout" = ""
    • "URLUpdateInfo" = ""
    • "Publisher" = ""
    • "DisplayVersion" = "%random%"
    • "NoRepair" = 0x1
    • "NoModify" = 0x1
    • "CategoryName" = "Apps"
    • "InstallDate" = "20120606"
    • "DisplayIcon" = "C:\­Windows\­System32\­msiexec.exe"
    • "_In" = "%currentdate%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0]
    • "(Default)" = "runtimeLib"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0\­Flags]
    • "(Default)" = "0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0\­HELPDIR]
    • "(Default)" = "%temp%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0\­0\­win32]
    • "(Deafult)" = "%temp%\­%variable%.tmp"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}]
    • "(Default)" = "IRuntime"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}]
    • "(Default)" = "IDownloadJob"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{662CA6E1-37D8-4C12-8586-3AC64DF96187}]
    • "(Default)" = "IWaitableTask"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{662CA6E1-37D8-4C12-8586-3AC64DF96187}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{662CA6E1-37D8-4C12-8586-3AC64DF96187}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{662CA6E1-37D8-4C12-8586-3AC64DF96187}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}]
    • "(Default)" = "IDownloadError"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}]
    • "(Default)" = "IRunningProcess"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{8A4F3B48-4807-4D11-B98B-C0E9B7C89130}]
    • "(Default)" = "IJSBuf"
  • [HKEY_LOCAL_MCHINE\­SOFTWARE\­Classes\­Interface\­{8A4F3B48-4807-4D11-B98B-C0E9B7C89130}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MCHINE\­SOFTWARE\­Classes\­Interface\­{8A4F3B48-4807-4D11-B98B-C0E9B7C89130}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{8A4F3B48-4807-4D11-B98B-C0E9B7C89130}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
Information stealing

The trojan collects the following information:

  • malware version
  • operating system version
  • Internet Explorer version
  • memory status
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (9) URLs. The HTTP protocol is used in the communication.


It downloads the other part of the infiltration.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • update itself to a newer version
  • stop itself for a certain time period
  • send the list of files on a specific drive to a remote computer

The trojan keeps various information in the following files:

  • %currentfolder%\­%variable%.ini

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%filename%\­%variable%\­defaults]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.