Trojan.MSIL.Agent.aor
From Total Malware Info
|
Trojan.MSIL.Agent.aor
|
|
|
Last edited: |
28.1.2011 |
The trojan is designed to steal confidential user information. It is a Windows .NET application (PE-EXE file). Its size is 1,116,397 bytes.
MD5: 1061DD99AC8AD010104CF04389CD0A21
SHA1: FB2C35AA9FFBE0A18CA7B2954E76C47BFB3B5CF8
Payload
The trojan implements the functionality that prevents the display of its payload when it starts within the following virtual environments:
VMWare VirtualPC VirtualBox Sandboxie
The trojan is designed to steal the users' login information from the following software products:
Splinter Cell Pandora Tomorrow Splinter Cell Chaos Theory Call of Duty Call of Duty United Offensive Call of Duty 2 Call of Duty 4 COD4 Steam Version Call of Duty WAW Dawn of War Dawn of War - Dark Crusade Medieval II Total War Adobe Goolive Nero 7 ACDSystems PicAView Act of War Adobe Photoshop 7 Advanced PDF Password Recovery Advanced PDF Password Recovery Pro Advanced ZIP Password Recovery Anno 1701 Ashamopp WinOptimizer Platinum AV Voice Changer Battlefield(1942) Battlefield 1942 Secret Weapons of WWII Battlefield 1942 The Road to Rome Battlefield 2 Battlefield(2142) Battlefield Vietnam Black and White Black and White 2 Boulder Dash Rocks Burnout Paradise Camtasia Studio 4 Chrome Codec Tweak Tool Command and Conquer Generals Command and Conquer Generals Zero Hour Red Alert 2 Red Alert Command and Conquer Tiberian Sun Command and Conquer 3 Company of Heroes Counter-Strike Crysis PowerDVD PowerBar CyberLink PowerProducer Day of Defeat The Battle for Middle-earth II The Sims 2 The Sims 2 University The Sims 2 Nightlife The Sims 2 Open For Business The Sims 2 Pets The Sims 2 Seasons The Sims 2 Glamour Life Stuff The Sims 2 Celebration Stuff The Sims 2 H M Fashion Stuff The Sims 2 Family Fun Stuff DVD Audio Extractor Empire Earth II F.E.A.R F-Secure FARCRY FARCRY 2 FIFA 2002 FIFA 2003 FIFA 2004 FIFA 2005 FIFA 07 FIFA 08 Freedom Force Frontlines Fuel of War Beta Frontlines Fuel of War GetRight Global Operations Gunman Half-Life Hellgate London Hidden & Dangerous 2 IGI 2 Retail InCD Serial IG2 iPod Converter (Registration Code) iPod Converter (User Name) James Bond 007 Nightfire Status Legends of Might and Magic Macromedia Flash 7 Macromedia Fireworks 7 Macromedia Dreamweaver 7 Madden NFL 07 Matrix Screensave Medal of Honor Airborne Medal of Honor Allied Assault Medal of Honor Allied Assault Breakthrough Medal of Honor Heroes 2 mIRC Nascar Racing 2002 Nascar Racing 2003 NHL 2002 NBA LIVE 2003 NBA LIVE 2004 NBA LIVE 07 NBA Live 08 Need for Speed Carbon Need For Speed Hot Pursuit 2 Need for Speed Most Wanted Need for Speed ProStreet Need For Speed Underground Need For Speed Underground 2 Nero - Burning Rom Nero 7 Nero 8 NHL 2002 NHL 2003 NHL 2004 NHL 2005 NOX Numega SmartCheck OnlineTVPlayer O&O Defrag 8.0 Partition Magic 8.0 Passware Encryption Analyzer Passware Windows Key PowerDvD PowerStrip Pro Evolution Soccer 2008 Rainbow Six III RavenShield Shogun Total War Warlord Edition Sid(Meier) 's Pirates! Sid(Meier) 's Pirates! Sim City 4 Deluxe Sim City 4 Sniffer Pro 4.5 Soldiers Of Anarchy Soldiers Of Anarchy Stalker - Shadow of Chernobyl Star Wars Battlefront II (v1.0) Star Wars Battlefront II (v1.1) Steganos Internet Anonym VPN Splinter Cell Pandora Tomorrow Surpreme Commander S.W.A.T 2 S.W.A.T 3 S.W.A.T 4 TechSmith SnagIt Texas Calculatem 4 The Battle for Middle-earth The Orange Box The Orange Box TMPGEnc DVD Author TuneUp 2007 TuneUp 2008 TuneUp 2009 Winamp The Sims 3 Spore Mirrors Edge GTA IV FIFA 2009 Pro Evolution Soccer 2009 FIFA 2008 Nero 9 Mirc Orange Box
The stolen information includes values of parameters with the following names:
Name Serial Registration Code User Name Username Company License Owner Key Serial Key
The collected data is written to the file:
%Temp%\TMP.dat
And then it will be sent to an attacker by email.
The trojan accesses the service "www.whatismyip.com" to determine the IP-address of a victim machine.
Once launched, the trojan extracts the following files from its body:
%WorkDir%\System.Data.SQLite.DLL (886,272 bytes) %Temp%\melt.tmp (6 bytes)
System.Data.SQLite.DLL is the SQLite database engine and ADO.NET provider's library. melt.tmp containes the string:
melt
The trojan modifies the file:
%System%\drivers\etc\hosts
by writing the following strings to it:
##Do not touch this file, changing it will cause SERIOUS damage to your computer 127.0.0.1 www.rsbot.org/vb/ 127.0.0.1 rsbot.org/vb/ 127.0.0.1 85.25.184.47 127.0.0.1 www.rsbot.com 127.0.0.1 www.rsbot.com 127.0.0.1 www.rsbot.org 127.0.0.1 www.rsbot.org 127.0.0.1 virustotal.com 127.0.0.1 www.virustotal.com 127.0.0.1 www.virusscan.jotti.org/ 127.0.0.1 www.virusscan.jotti.org/en 127.0.0.1 www.virusscan.jotti.org/en 127.0.0.1 www.rsbots.net 127.0.0.1 rsbots.net 127.0.0.1 www.RSbots.net 127.0.0.1 www.AutoFighter.org 127.0.0.1 www.RSBotting.com 127.0.0.1 www.RSTrainers.com 127.0.0.1 www.CodeSpace.net 127.0.0.1 www.RsAutoCheats.com 127.0.0.1 www.XxBots.net 127.0.0.1 www.AutoFarmer.org 127.0.0.1 www.kMiner.org
Thus, access to listed resources is blocked.
Removal Instructions
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
2. Delete the following files:
%WorkDir%\System.Data.SQLite.DLL %Temp%\melt.tmp %Temp%\TMP.dat
3. Restore the original contents of the following file:
%System%\drivers\etc\hosts
4. Perform a full system scan with an antivirus with updated databases.
You can order a description for any computer malware, virus, trojan or worm.
