Trojan.Agent.FKIA

The messages have a variable German subject, and the German language contents of e-mails are also variable. The Trojan can be found in zip file attached to e-mails.

After execution the Trojan creates a binary file, which mimics one of Windows' system files, and registers itself into the registry to autostart this file at every system boot. The Trojan also drops a rootkit component, which is detected by Virusbuster products as Rootkit.Autorun.Gen.10.

The Trojan also copies itself to the root directory of available drives, and creates an appropriate autorun.inf file to ensure that it will be executed when opening the drive.

The trojan attempts to download further malware components from the internet.

The trojan began distributed in large numbers on the 24th of November 2008 in unsolicited e-mail messages. The messages have a variable German subject. Some of the typical subject lines are:

Abrechnung 10577273360
Anzeigegefahr Nr5487
Guenter Frhr. v. Gravenreuth Brief Nr9863
Mahngebuehren Nr4984
Zahlungsaufforderung Nr6357

The numbers in the subjects are randomly selected. A typical message body is the following:

Sehr geehrte Damen und Herren!
Die Anzahlung Nr.654259431479 ist erfolgt
Es wurden 3443.00 EURO Ihrem Konto zu Last geschrieben.
Die Auflistung der Kosten finden Sie im Anhang in der Datei: Rechnung.
Alle unsere Rechnungen sind mit einem Sicherheitszertifikat versehen - der ist für Sie nicht von
Bedeutung
Regel Inkasso GmbH & Co. KG
Fredeburger Str. 21
33699 Bielefeld
Postfach 51 20 05
33698 Bielefeld
Tel.: 0521 93212-0
Fax: 0521 92412-15
AG Bielefeld HRA 13169
Steuer-Nummer: 349/5749/0377
Komplementärgesellschaft:
Regel Verwaltungs-GmbH
AG Bielefeld HRA 34932

The number and the euro price in the message are randomly changing.

The e-mail message contains the Trojan as an attachment, with the file name "abrechnung.zip".

After execution the trojan copies itself into the program files folder as "C:\Program Files\Microsoft Common\svchost.exe", and registers itself for autostart using the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe "" = C:\Program Files\Microsoft Common\svchost.exe

It also drops a rootkit component, which is detected by Virusbuster products as Rootkit.Autorun.Gen.10.

The Trojan also copies itself to the root directory of available drives, and creates an appropriate autorun.inf file to ensure that it will be executed when opening the drive.

The trojan attempts to download further malware components from the websites.