Win32/TrojanDropper.Agent.DGO [Threat Name] go to Threat

Win32/TrojanDropper.Agent.DGO [Threat Variant Name]

Category trojan,virus
Detection created Dec 27, 2007
Detection database version 2748
Aliases Trojan-Dropper.Win32.Agent.dgo (Kaspersky)
  W32.Trats!inf (Symantec)
  W32/Trats.virus (McAfee)
Short description

The Win32/TrojanDropper.Agent.DGO is a trojan that installs Win32/Adware.Virtumonde.FP adware.

Installation

When executed, the trojan copies itself into the following location:

  • C:\­WINDOWS\­system32\­sstts.exe

The following files are dropped in the same folder:

  • sstts.dll (Win32/Adware.Virtumonde.FP)
  • sttss.ini
  • sttss.ini2

Libraries with the following names are injected into all running processes:

  • sstts.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "C:\­WINDOWS\­system32\­sstts.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "GlobalUserOffline" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "Authentication Packages" = "msv1_0 C:\­WINDOWS\­system32\­sstts.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­SYSTEM\­CurrentVersion\­Explorer\­Browser Helper Objects]
    • "{%variable CLSID%}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{%variable CLSID%}\­InprocServer32]
    • "(Default)" = "C:\­WINDOWS\­system32\­sstts.exe"
    • "ThreadingModel" = "Both"

A string with variable content is used instead of %variable CLSID% .

Executable file infection

The trojan infects executable files.


The host file is modified in a way that causes the trojan to be executed prior to running the original code.


The adware infects files by inserting the original code into the resources section of the infiltration.


When an infected file is executed, the original program is being dropped into a temporary file and run.

Other information

The displays dialogs within the Internet browser with warnings about possible threats detected on the compromised computer that need to be removed.


The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of URLs. The HTTP protocol is used in the communication.


Some examples follow.


Example [1.] :

Example [2.] :

Example [3.] :

Example [4.] :

Example [5.] :

Example [6.] :

The downloaded programs try to appear to be legitimate and useful.


The goal of these programs is to persuade the user to purchase them.


Example [7.] :

Example [8.] :

During the registration of the adware the user may be redirected to one of the following Internet web sites:

  • http://www.antivirussecuritypro.com
  • http://www.drivecleaner.com
  • http://www.systemdoctor.com
  • http://www.winantivirus.com
  • http://www.winantiviruspro.com
  • http://www.sysprotect.com
  • http://www.errorprotector.com
  • http://www.amaena.com
  • http://www.winantispyware.com
  • http://www.errorsafe.com
  • http://www.winfirewall.com
  • http://www.winpopupguard.com
  • http://www.winantispy.com
  • http://www.windrivecleaner.com
  • http://www.stopguard.com
  • http://www.virusguard.com
  • http://www.winfixer.com

Example [8.] :

The adware may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­FCOVM]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­RemoveRP]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­FCOVM]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­RemoveRP]

The adware alters the behavior of the following processes:

  • lsass.exe
  • ad-aware.exe
  • wrsssdk.exe
  • hijackthis.exe
  • firefox.exe
  • mozilla.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.