Malware type: Trojan

Aliases: Backdoor.Win32.Agent.cef (Kaspersky), Proxy-Agent.af.gen (McAfee), Trojan Horse (Symantec), TR/PSW.Agent.RWD.13 (Avira), Troj/AgentM-Fam (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan arrives as a downloaded file from malicious Web sites either by other malware or by a user. It can also arrive as an attachment to spammed email messages.

It is reportedly spammed using sensational news headlines as email subjects to hook unsuspecting victims. The use of actual news headlines makes it more difficult to distinguish it as malicious. It reportedly uses the following email details:

Subject: (any of the following)
• Law hits Las Vegas 'fake' bands
• Man Awakens From 19-Year Coma
• Re: U.S. violent crime up again, more murders, robberies

Message body: (any of the following)
• Decade Of Mystery: John Ramsey Speaks
• Man wakes from 19-year coma in
• Poland US vows to pursue hunt for missing soldiers
• Password for submitted attachment is xxx

The attachments are password-protected ZIP archives with random file names, which appears to come from news organizations.

It connects to Web sites to download possibly malicious components, upload system information, download and execute updated versions of itself, or retrieve commands to execute on the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 5, 2007 1:44:40 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.