Trojan:W32/Agent.DSJS

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/Agent.DSJS

Summary

Trojan:W32/Agent.DSJS installs malicious files onto the infected machine.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note: You need administrative rights to change the settings.

Technical Details

Trojan:W32/Agent.DSJS is an installer file that serves as a wrapper for two EXE files:

installer.data.exe
installer.crc32.exe

The installer drops these executables, and deletes them after they have finished execution.

Separately, the installer's main responsibility on execution is to capture a screenshot of the machine and stored the screenshot as "error.jpg".

The purpose is to steal information visible onscreen at the time the screenshot is taken. The stolen details may include the following:

FF stored credentials
IE stored credentials
HTTP authentication passwords
MSN messenger passwords
PC name
Current login username
the local/public IP addresses

These details stolen are not stored in a physical file but may be captured from standard output (i.e., it can retrieve the stolen information when 'installer.XXX.exe' prints the output via the console window).

These details will be sent to "wgewurztraminer@gmail.com" on port 587 with the "error.jpg" as an attachment if the screenshot file is exist on the machine.

Dropped Malware

The file 'installer.crc32.exe' is responsible for retrieving the login/password information stored by Firefox.

The file 'installer.data.exe' steals Internet Explorer (IE) credentials, such as the IE AutoComplete password, HTTP authentication passwords and .Net passport account.

When stealing the IE AutoComplete password, it looks for the following targeted websites:

lightningusenet.com
ghost-of-usenet.org
gmx.net
meinvz.net
nzbspots.com
linkedin.com
secure.newegg.com
facebook.com
google.com/accounts/login
rapidshare.com
download2day.nl
portal.getranet.com
hyves.nl
hotmail.com
hotmail.nl
hotmail.de
live.com
login.live.com
twitter.com
gmail.com
google.nl/accounts/login
google.de/accounts/login
fok.nl
forum.fok.nl
frontpage.fok.nl
login.yahoo.com
flickr.com
slashdot.org
wikipedia.org
youtube.com
kdc.xboxlive.com
killzone.com
snellerdownloaden.com
newsxs.nl
newsxs.nl/login
newshost.za.net
reader.newsxs.nl
xsnews.nl
reader.xsnews.nl
nzbmatrix.com
member.hitnews.eu/member.php
xsnews.com/myxsnews/myxsnews.php
identity.virginmedia.com
www.giganews.com/vyprvpn
boost1-downloads.members.easynews.com:80/EasyNews
verkopen.marktplaats.nl/useradmin/mymarktplaats.php
webmail2-gn.ziggo.nl/iwc_static/layout/login.html
easynews.com
members.easynews.com:80/EasyNews
members-beta.easynews.com:80/EasyNews
yabnews.nl/mijn_account/inloggen
webmail.genoba.com/src/login.php
microsoftonline.com
localhost:8080/SABnzbd
localhost:9090/SABnzbd
192.168.0.1:80/NETGEAR

Trojan:W32/Agent.DSJS

Classification

Summary

Removal

Automatic action

Suspect a file is incorrectly detected (a False Positive)?

Technical Details

Dropped Malware