Threat behavior
TrojanDownloader:Win32/Agent!D265 is a Trojan downloader that may be distributed in email masquerading as a Microsoft Security Bulletin. TrojanDownloader:Win32/Agent!D265 contains functionality to inject code in different processes, download files from remote Web sites and execute those files on the infected system.
When TrojanDownloader:Win32/Agent!D265 is first run, it checks for an available Internet connection by using InternetCheckConnection API on http://www.google.com.
After checking for the connection, TrojanDownloader:Win32/Agent!D265 sleeps for 10,000ms and then tries to inject code using WriteProcessMemory API, by allocating memory in a remote process and creating a remote thread, using CreateRemoteThread API.
TrojanDownloader:Win32/Agent!D265 then renames itself to "sdoctor.exe" and copies itself to the Windows system folder. Note: The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME)
TrojanDownloader:Win32/Agent!D265 modifies the registry as follows in order to load this copy of itself when Windows is started:
Adds value: SpywareDoctor
With data: <system folder>\sdoctor.exe
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The following additional registry modifications are made by the Trojan:
HKEY_LOCAL_MACHINE\Software\CLASSES\Laorenshen\Shell
HKEY_LOCAL_MACHINE\Software\CLASSES\Laorenshen\Shell\Open
HKEY_LOCAL_MACHINE\Software\CLASSES\Laorenshen\Shell\Open\Command
"\"%System%\\sdoctor.exe\" %1"
TrojanDownloader:Win32/Agent!D265 may also do the following:
- Creates file "c:\france.html" and using FindExecutableA API, retrieves the name of and handle to the executable (.exe) file associated with the ".html" file extension and then deletes executable file started when an "open" by association, for example, "iexplorer.exe" or "opera.exe", etc.
- Contains functionality to delete itself using DeleteFile API as well as by using ShellExecute API - by executing command line processor with the following paramenters:
ShellExecute(%ComSpec% /c del filename >>NUL) , where %COMSPEC% - environment variable contains full path to current command processor (cmd.exe)
- Contains functionality to download and execute downloaded files.
- Hides unwanted API functions
On June 26, 2007, links to TrojanDownloader:Win32/Agent!D265 were mass-seeded (spammed) via an email masquerading as a Microsoft Security Bulletin. The body of that email read in part:
Dear <username>
You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.
A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.
Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.
An update has been released to fix this issue and can be downloaded from the following link
The link included in the email pointed to a copy of TrojanDownloader:Win32/Agent!D265. The filename of the downloaded file was MSOUTRC2007Update-KB863892.exe.
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.