Just hours after BBC published a news report titled London attackers 'meant to kill', the Agent.AD Trojan stole the headline and part of the copy, using it as a ruse to entice victims into opening its infected attachment, sample.exe.

Agent.AD is not the first Trojan to exploit the London bombings. Shortly after the July 7th bombings occurred, Spexta a.k.a. Donbomb.A attempted to trick users by displaying copy from actual CNN coverage and included an infected attachment provocatively named 'LondonTerrorMovie.zip'.


The Agent.AD email carries a 600Kb attachment named sample.exe which, when executed, displays a photo while behind the scenes the system is being infected by a key and screen logging Trojan.

Agent.AD creates a folder named clrprv.oo in the Windows System directory into which the following files are dropped: 'dpserver2.dll', 'mailsettings.pc2', 'register.exe', 'restrictedwords.pc2', 'ScrCapt.exe', 'scvhost.exe', 'serverd.exe', 'server.exe', and 'update.exe'.

Note that many of the above filenames match those of perfectly legitimate system files. As with real estate, location is everything. For example, on Windows XP the valid svchost.exe resides in the C:\Windows\System32 directory and not in C:\WINDOWS\system32\clrprv.oo.

Agent.AD captures screenshots and keystrokes, saving them to various files in sub-directories contained within C:\WINDOWS\system32\clrprv.oo. Agent.AD also tries to send information via e-mail, using various IP addresses.