Troj/Agent-MJJ is a Fake Antivirus Trojan for the Windows platform and includes the functionality to run automatically and access the internet and communicate with a remote server via HTTP.
Troj/Agent-MJJ runs only on machines with active internet connections and is protected with rogue packers to evade AV Detection. Besides running itself, the malware also starts <System>\regsvr32.exe process.
When run Troj/Agent-MJJ displays fake Antivirus scan Window titled as 'AntiVirus Soft' and displays bogus threats on the system.
When Installed, Troj/Agent-MJJ attempts to kill any anti-virus processes used for malware analysis/cleanup.
The Trojan installs using randomly generated file names such as bsvtrb.exe, odjqsftav.exe, oulxfa.exe etc.
In order to run automatically after a reboot autostart registry entries are added:
<User>\Local Settings\Application Data\<random value>\<Filename>
<User>\Local Settings\Application Data\<random name>\<Filename>
Like other fake anti-virus Trojans we have seen, this variant adds itself to a startup key associated with the currently logged-in user. This appears to be a method to evade protections provided by Windows User Account Control (UAC).
Troj/Agent-MJJ contacts the following sites, which are also used to sell the associated fake anti-virus:
In addition to the standard detection provided for Troj/Agent-MJJ, the proactive HIPS technology in Sophos Endpoint Security can prevent installation and running of this malware. HIPS/ProcMod-004 is triggered by this malware attempting to run.