Proactive IT Security
 

W32/Agent.ULL

Threat risk

Threat risk medium
Detection files published:
10 Mar 2006
Description created:
2006-03-10
Description updated:
2006-03-10
Malware type:
Trojan
Alias:
Trojan-Dropper.Win32.Agent.yf
Spreading mechanism
Payload:
Installs other malware utilities as well as child pornography.

Summary

This is a trojan horse program that installs various ad- and spyware utilities, as well as extracting and showing a child pornographic movie. File size is 193536 bytes. File name as submitted to us is "childporn*******movie.mpeg.exe".

Spreading description

The trojan does not spread by itself.  It is likely that it has been manually distributed in fora where people would download and run it - f.ex. in file sharing networks.

File system changes:

\\TEMP\\childporn.wmv.      
\\win32.exe.      
\\msits.exe.      
\\cmd32.exe
loadadv713.exe. 
\\kernels64.exe                                

The files installed are:

win32.exe, kernels64.exe : Installers for Tibs, BraveSentry and other malware. Tibs is a downloader for pornographic adware, BraveSentry is a scam-based "AntiSpyware" utility.
msits.exe, cmd32.exe : Downloads SpySheriff and other downloaders. SpySheriff is another scam-based "AntiSpyware" utility.
loadadv713.exe : Another downloader

This is a quite common scenario - downloaders that download more downloaders which download more downloaders - it goes on and on.

Threat description

The trojan installs a number of files in addition to the pornographic movie. These files are mostly downloaders that fetch other malicious ad- and spyware utilities. While this happens, the trojan extracts and displays a WMV movie ("childporn.wmv") involving sex with a clearly underage girl.

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage Title Comment
  Stopping network share infectors  
  Cleaning of back-up folders on Windows Me and XP  
Print page