Troj/Agent-LVN is part of the Bredo family of spamming bot Trojans, specifically part of the Mal/Bredo-B family. These bots are typically delivered through social engineering spam campaigns, though there is no specific campaign for Troj/Agent-LVN.
When first run, Troj/Agent-LVN copies itself to a file in the %TEMP% folder and to <Start Menu\Programs>\Startup\siszyd32.exe, which lets the malware to run automatically on startup.
Innocuous registry entries may be created under HKLM\SOFTWARE\Microsoft\Tracing\IpxAdptif as a result of the malware loading the <SYSTEM>\adptif.dll library. This library is the 'IPX Interface via WinSock,' meaning this bot is aware of Netware networking.
Troj/Agent-LVN calls home to forhomessale.ru via an HTTP GET request for /new/controller.php?action=bot& - with further string arguments for: entity_list, rnd, uid, guid to identify the new infection.
It also creates the data file <User>\Application Data\avdrn.dat.
Users of the
HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Troj/Agent-LVN. The installation of this malware triggers the HIPS rule
HIPS/FileMod-001.