Trojan:W32/Agent.DXH

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan:W32/Agent.DXH

Summary

Trojan:W32/Agent.DXH or Trojan.Win32.Agent.dxh contains an encrypted payload. Agent.DXH appears to be a component of a malware that targets Italian computer users.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Agent.DXH is installed on the system when the file is executed with "INSTALL" as the parameter.When this malware is installed on the system it will traverse the %regrun% registry of HKLM and HKCU.If an entry is existing, it will replace the file with the copy of itself and put the original file into a "bak" folder at the location of the original file. By performing this routine, the malware is able to automatically start itself during the system start.This malware is a downloader that tries to connect to the following domains:

  • a.doginhispen.com
  • b.skitodayplease.com

Notes: The domain called "doginhispen" points to a host in Sweden; The domain registration is through an anonymity service in the USA; WhoIs services list 70% of the site's visitors as being from Italy; The URL "a.doginhispen.com" displays only message "It Works!" via a Web browser; The domain called "skitodayplease" was not online during analysis. Agent.DXH may also contact this link as part of its infection routine:

  • https://88.80.7.66/[REMOVED]/log6.php?STAGE=1

Note: doginhispen.com and skitodayplease.com resolve to 88.80.7.66.The downloaded file is decrypted and saved in the windows temporary folder with a random filename. Once the download and decryption is complete the file will be executed.This malware may also update an existing infection by supplying the malware with a parameter of "UPDATE".To clean the system, the computer user may need to retrieve the original file pointed to by the registry entry in the "bak" folder where it was saved by the malware.Additional Info:Agent.DXH may create a file called abc123.pid. This is the file where it saves it ProcessID. The entry is retrieved when the malware will update itself.