MSIL/Agent.DT [Threat Name] go to Threat
MSIL/Agent.DT [Threat Variant Name]
Category | trojan,worm |
Size | 189440 B |
Aliases | Trojan.Win32.Agentb.aaew (Kaspersky) |
Trojan.Klovbot (Symantec) |
Short description
MSIL/Agent.DT is a worm that spreads via removable media.
Installation
When executed, the worm copies itself into the following location:
- c:\ProgramFileas\windowsdeafender.exe
The worm creates the following files:
- c:\ProgramFileas\winlogoon.exe (98816 B, MSIL/Agent.DT)
- c:\ProgramFileas\svchoost.exe (58880 B, MSIL/Agent.DT)
- c:\ProgramFileas\deleter.exe (28160 B, MSIL/Agent.DT)
The files are then executed.
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "winlogoon" = "c:\ProgramFileas\winlogoon.exe"
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
- Yeni Klasorr.exe
The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.
Information stealing
The worm searches removable drives for files with the following file extensions:
- .doc
- .docx
When the worm finds a file matching the search criteria, it creates its duplicate.
The files are saved into the following folder:
- c:\ProgramFileas\
The worm attempts to send the found files to a remote machine.
The worm sends the information via e-mail. The worm contains a list of (1) addresses.
Other information
The worm connects to the following addresses:
- www.google.com
The worm may delete the following files:
- c:\ProgramFileas\*.doc
- c:\ProgramFileas\*.docx