Researchers at Norman today discovered a new Trojan horse program that installs and displays a child pornographic movie.

The Trojan, dubbed "W32/Agent.ULL", appears to use this feature as bait in order to get users to run it. The file name of the sample submitted to Norman suggests that a user would be aware of the illegal content of the file, but the primary function of the Trojan is not to plant the video. While the video runs, the Trojan installs and downloads a whole host of other malicious software - among others components belonging to the scam-based "antispyware utilities" Spysheriff and BraveSentry.

The Agent family is a big family of generic Trojans that perform various actions, like installing adware, setting up proxies, downloading other malware etc.

W32/Agent.ULL was proactively detected by the Norman Sandbox technology.
The automated Sandbox analysis of the Trojan can be found here: http://sandbox.norman.no/live_2.html?logfile=695930

Norman’s current risk rating is medium.

You will find more information about this worm/Trojan in the description here:
http://www.norman.com/Virus/Virus_descriptions/31222

For more virus information go to www.norman.com

This Trojan is also known as Trojan-Dropper.Win32.Agent.yf

For more information, please contact:

• Gunnar Johansen, Virus Analyst, Norman ASA +47 415 39 748
• Audun Lødemel, director of marketing , Norman ASA +47 93 44 65 31