About:
Troj/Agent-LNW is an emailed fake anti-virus infector. It is distributed as an attachment to a spam message that attempts to convince users to agree to the terms of an imaginary contract. Agreeing to this contract will purportedly make payment for the first consignment available on Friday.
The primary purpose of this Trojan when installed is to display the following warning bubble on the system tray:
When the user clicks the warning bubble, Troj/Agent-LNW contacts a remote site and attempts to download the fake anti-virus application, called AntivirusPro_2010.exe, which is detected by Sophos as Mal/Bredo-C.
Here are a few examples of the accessed remote sites (with parts of the URL removed):
- http://utka3medrdosXXXX.com/
- http://anobhwalukXXXX.com/
-
http://ertadbuferytXXXX.com/
- http://utorgtan9edoXXXX.com/
- http://rtugamer5tbXXXX.com/
When Troj/Agent-LNW completes installation, it creates these files:
- <User>\Application Data\seres.exe (a copy of Troj/Agent-LNW)
- <User>\Application Data\svcst.exe (a copy of Troj/Agent-LNW)
To auto start these copies of itself, Troj/Agent-LNW creates registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mserv
C:\Documents and Settings\support\Application Data\seres.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
C:\Documents and Settings\support\Application Data\svcst.exe
In addition to installing the above registry entries for auto-starting, Troj/Agent-LNW also installs the following registry entry to reduce the system security of the victim computer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav