Win32/TrojanDownloader.Agent.PUD [Threat Name] go to Threat

Win32/TrojanDownloader.Agent.PUD [Threat Variant Name]

Category trojan
Size 65536 B
Detection created Mar 15, 2010
Detection database version 4947
Aliases DLOADER.Trojan (Dr.Web)
  Downloader.Generic9.BOPF (AVG)
Short description

Win32/TrojanDownloader.Agent.PUD is a trojan which tries to promote certain web sites.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­nt32inf12.exe

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "nt32inf12.exe" = "%system%\­nt32inf12.exe"

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "*" = "*nt32.exe*"

The trojan executes the following command:

  • netsh.exe firewall set allowedprogram %system%\­nt32inf12.exe ENABLE

The performed command creates an exception in the Windows Firewall.


Executable file infection

Win32/TrojanDownloader.Agent.PUD can infect executable files.


The trojan infects the files by inserting its code at the beginning of the original program.


The trojan infects the files with program code that is downloaded from the Internet.


It infects the following files:

  • *.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan can download and execute a file from the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.


The trojan may create the following files:

  • %system%\­printsys%variable1%.exe
  • %system%\­explorer32%variable1%.exe
  • %system%\­nt32%variable1%.exe
  • %system%\­nt32in%variable1%.exe
  • %system\­%tdmic%variable2%.dll
  • %system%\­tdmic%variable2%.exe
  • %temp%\­chiconunc.htm
  • %temp%\­chiconcom.htm
  • %temp%\­explorer32unc.htm
  • %temp%\­explorer32com.htm
  • %temp%\­nt32unc.htm
  • %temp%\­nt32com.htm
  • %temp%\­pigeonverunc.htm
  • %temp%\­pigeonvercom.htm
  • %temp%\­pigeonver.htm
  • %temp%\­nt32infunc.htm
  • %temp%\­nt32infcom.htm
  • %temp%\­tdmicdllunc.htm
  • %temp%\­tdmicdllcom.htm
  • %temp%\­tdmicunc.htm
  • %temp%\­tdmiccom.htm
  • %temp%\­instrcom.htm

A string with variable content is used instead of %variable1-2% .


The trojan may execute the following commands:

  • regsvr32.exe /s %system\­%tdmic%variable2%.dll

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Please enable Javascript to ensure correct displaying of this content and refresh this page.