Threat behavior
TrojanProxy:Win32/Agent.E is installed by Trojan:Win32/Malagent and poisons the local DNS cache.
Installation
TrojanProxy:Win32/Agent.E is installed by Trojan:Win32/Malagent. When Win32/Malagent is run, it drops a DLL component as the following:
%windir%\sysocmgr.dll
The registry is modified to execute this dropped component at each Windows start.
Adds value: {DA1DE019-A6A8-ED40-4B87-248B2A93DE99}
To subkey: HKLM\SOFTWARE\Classes\CLSID\
Adds value: "(default)"
With data: "%windir%\sysocmgr.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{DA1DE019-A6A8-ED40-4B87-248B2A93DE99}\InprocServer32
The dropped file is executed using the Windows system tool RUNDLL32.EXE and it drops another DLL component as the following:
<system folder>\mshta.dll
Payload
Poisons DNS Cache
The dropped DLL component '%windir%\sysocmgr.dll' starts the DNS Client service (dnscache) if it is not running. It then injects '<system folder>\mshta.dll' into the dnscache process space.
The DLL component 'sysocmgr.dll' also downloads a file 'Iserv.dll' from the domain 'sbstop.info' which contains a list of host redirections, effectively poisoning DNS for the client.
Analysis by Vincent Tiu
Prevention
