TrojanDownloader:Win32/Agent.VT is a trojan that downloads and executes arbitrary files, including updates and other malware from a remote web site. The trojan may send information about the computer on which it is installed to a remote attacker.
Installation
This trojan may be dropped to the following locations:
<system folder>\ori.dll
<system folder>\Kum\Mspss.exe
<system folder>\Kum\PowerHacker_Charm.dll
It installs itself as a Browser Helper Object by modifying the registry:
Adds value: @
With data: "<dll path and filename>"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{363E6889-1F64-497D-992B-2AF83B591118}\InprocServer32
It also creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\man\<date>
where <date> is current date with YYYYMMDD format .
Payload
Downloads and Executes Arbitrary Files
This trojan initially connects to the 'update1.sidelinker.com' domain and retrieves a file which it saves to 'C:\WINDOWS\ar.dat'. This file contains locations from which the trojan may download additional malware. This trojan may also download updates from this domain.
The downloaded files are also detected as TrojanDownloader:Win32/Agent.VT
Additional Information
Win32/Agent.VT may send the MAC address of the infected computer to a web site on the 'update1.sidelinker.com' domain.
