Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.ODG is a trojan used for delivery of unsolicited advertisements. The trojan is sent data and commands from a remote computer or the Internet. It uses techniques common for rootkits.
Installation
When executed, the trojan drops the following files in the %system% folder:
  • TDSSl.dll (17408 B)
  • tdssc2cf.dll (46620 B)
  • tdssadw.dll (32768 B)
  • tdssmain.dll (10240 B)
  • tdssserf.dll (12288 B)
The libraries are loaded and injected into the following processes:
  • svchost.exe
  • iexplorer.exe
The following file is dropped into the %system%\drivers\ folder:
  • TDSSserv.sys (36352 B)
Installs the following system drivers:
  • TDSSserv.sys
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    TDSSserv]
    "Start" = %number1%
    "Type" = %number2%
    "ImagePath" = "%system%\drivers\TDSSserv.sys"
A string with variable content is used instead of %number1-2%, %variable1-6% .
Information stealing
Win32/Agent.ODG is a trojan that steals sensitive information.

The following information is collected:
  • recently visited URLs
The trojan can send the information to a remote machine.
Other information
The trojan blocks access to the following sites:
  • virustorjunta.net
  • spywarefri.dk
  • malekal.com
  • linhadefensiva.org
  • hijackthis.nl
The trojan terminates specific running processes.

The trojan alters the behavior of the following processes:
  • msiserver
The user may be redirected to one of the following Internet web sites:
  • compalusa.com
  • dojo.www.
  • clubgamecasino.com
  • wikiei.com
  • asiuoqgusdbaksd.com
  • analitic-checks.google.com
The trojan tries to download and execute several files from the Internet. The trojan contains a list of (3) URLs. The HTTP protocol is used.

The trojan hides files and Registry entries which contain one of the following strings in their name:
  • TDSS