Threat Descriptions

Trojan:W32/Agent.FVO

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/Agent.FVO

Summary

Trojans are malicious programs that pretend be to benign. Trojans do not replicate themselves.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:W32/Agent.FVO was sent in several spam runs in the country of Denmark. The email messages are in Danish and were sent to Danish email addresses.The email message claim to be from F-Secure support.The message appears as follows: 

 From: supportupdate@f-secure.com 
Date: 26. August 2008 08:31 
Subject: Data er tillagt og sendt med denne meddelelse. Käre kunder! Regning Data er tillagt og sendt med denne meddelelse. Jeg bruger gratis F-secure antispamversion, som allerede har fjernet 338 spambreve. Antispam er helt gratis for private brugere. 
Attachment: f-secure.rar

The attachment contains a file called update26.08.2008.exe, which, when run, drops a file called dcbcg.exe that attempts to connect to a server located in Ukraine.The IP address to which Agent.FVO attempts to connect hosts a fake version of MP3.com.

File System Changes

Creates these files:

  • %windir%\system32\drivers\dcbcg.exe

Network Connections

Attempts to connect with HTTP to:

  • http://91.203.[REMOVED]/port/c.php?l=US&d=F5CAA48923FD4CCA8D239AE89BEAC0B9&ver=3.6.7&rvz1=2650&rvz2=0000091859

Registry Modifications

Sets these values:

  • HKCU\software\ewrew\dcbcg\main cid = F5CAA48923FD4CCA8D239AE89BEAC0B9
  • HKCU\software\ewrew\sample\maincid = 28280947699F4F27B32917B2C8654CE4
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run _ = c:\windows\system32\drivers\dcbcg.exe

Creates these keys:

  • HKCU\software\ewrew
  • HKCU\software\ewrew\sample
  • HKCU\software\ewrew\sample\main
  • HKCU\software\ewrew\dcbcg
  • HKCU\software\ewrew\dcbcg\main