virus logo Virus

W32/Agent.NAA!tr

description-logoAnalysis

  • Copies itself to undefinedSYSTEMundefined\taskdir.exe.

  • Drops the following file:
    • undefinedSYSTEMundefined\adir.dll
  • Uses the following mutex:
    • _alanchum
  • Adds the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • value: taskdir
    • data: undefinedSYSTEMundefined\taskdir.exe
  • Deletes the following registry:
    • key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • value: taskdir
    • data: undefinedSYSTEMundefined\taskdir.exe
  • Connects to the following server to update itself:
    • http://81.17{REMOVED}/cp/bin/lim
  • Connects to servers to get a script file and runs the script file:
    • http://81.17REMOVED}/cp/rule.php
    • http://69.50REMOVED}/cp/rule
    • http://205.20REMOVED}/cp/rule.php
    • http://209.12REMOVED}/cp/rule.php
  • Attempts to use its own SMTP engine to send mass emails using the gmail.com MX server and the email address nobody@mail.ru.

    • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Telemetry logoTelemetry

    ID 330012
    Released Jan 27, 2007
    Description
    Updated    		 Feb 01, 2007
    Aliases .
    Platform Profile Win32 file format / PE 32 bit