What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Dldr.Agent.XAE
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksumD7C594E7118472DF80788C6DB4EFEEE6
Static fileno
Filesize11,264 Bytes
Alias names
(also known as)
SophosTroj/DwnLdr-HIQ
McAfeeGeneric Downloader.ab
CA ETrustWin32/SillyDl.FKI
Side effectsDownloads malicious files
PropagationEmail

Description:

Files

The following files are created:

– Temporary files that might be deleted afterwards:
• %temporary internet files%\Content.IE5\%eight-digit random character string%\scan[1].exe
• %temporary internet files%\Content.IE5\%eight-digit random character string%\l[1].exe
• %temporary internet files%\Content.IE5\%eight-digit random character string%\g[1].exe




It tries to download some files:

– The location is the following:
• http://79.135.167.1**********/scan.exe
It is saved on the local hard drive under: C:\2.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Small.aeum


– The location is the following:
• http://79.135.167.1**********/l.exe
It is saved on the local hard drive under: C:\3.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Exchanger.agc


– The location is the following:
• http://79.135.167.1**********/g.exe
It is saved on the local hard drive under: C:\4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Agent.AKJU

Email

It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
• New Bill for register.



Body:
The body of the email is the following:
• Hello register, the new bill is attached. Password is 123. Please pay in time


Attachment:
The filename of the attachment is:
• bill8.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


File details

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.