Win32/TrojanDownloader.Agent.PPM [Threat Name] go to Threat

Win32/TrojanDownloader.Agent.PPM [Threat Variant Name]

Category trojan
Size 46080 B
Detection created Dec 03, 2009
Detection database version 4657
Aliases Trojan.Win32.Agent2.lez (Kaspersky)
  Vundo.gen.ci (McAfee)
  Downloader (Symantec)
Short description

Win32/TrojanDownloader.Agent.PPM is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %system%\­%filename%.dat (34816 B)
  • %temp%\­%filename%.dat (34816 B)

A string with variable content is used instead of %filename% .


It is a DLL library with the following extension:

  • .dat

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­%filename%]
    • "Asynchronous" = 0
    • "DllName" = "%system%\­%filename%.dat"
    • "Impersonate" = 0
    • "Startup" = "B"
    • "Logon" = "B"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%filename%" = "%system%\­%filename%.dat, B"
    • "%filename%" = "%temp%\­%filename%.dat, B"

The trojan creates and runs a new thread with its own program code within the following processes:

  • rundll32.exe
  • iexplore.exe
  • explorer.exe
  • services.exe
  • winlogon.exe
  • firefox.exe
  • opera.exe
Other information

The trojan contains a list of (1) URLs. It tries to download several files from the addresses. The HTTP protocol is used.


These are stored in the following locations:

  • %system%\­%variable%
  • %temp%\­%variable%

A string with variable content is used instead of %variable% .


The downloaded files contain encrypted executables.


After decryption, the trojan runs these files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.