Threat behavior
TrojanDownloader:Win32/Agent.ZAT may connect to known banner advertisement domains and download advertising content and additional files.
Installation
TrojanDownloader:Win32/Agent.ZAT is installed by TrojanDownloader:Win32/Agent.ZAT.dr.
When executed, TrojanDownloader:Win32/Agent.ZAT.dr may drop an installer file named 'insiderinst.exe' into the %TEMP% folder, then run it. The dropped installer creates the following folder and file:
%ProgramFiles%\nvcoi\nvcoi.exe. This file is detected as TrojanDownloader:Win32/Agent.ZAT.
The registry is modified during installation.
Adds value: remove
With data: "ok"
To subkey: HKEY_CURRENT_USER\Software\xInsiDERexe
Adds value: b153
With data: "yes"
To subkey: "HKEY_CURRENT_USER\CLSID\{F4507CDA-0AF6-1033-0920-0520050001}
Adds value: nvcoi
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
Next, the registry is modified to run the installed file at each Windows start.
Adds value: nvcoi
With data: "%ProgramFiles%\nvcoi\nvcoi.exe
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Sends System Information/Downloads Arbitrary Files
When the installed file 'nvcoi.exe' is run, it collects particular information regarding the affected system and then connects with known banner advertisement domains, furnishing the collected system data. The following domains many be contacted, and the trojan may attempt to download advertisements or other files (including executables):
153pop.lbann.com
trx66.lbann.com
Analysis by Tim Liu
Prevention
