It’s interesting to see the lengths malware authors have gone to secure their income. Recently, Joe Stewart from SecureWorks published a very nice description of a Trojan which in an attempt to keep other “competitors” out, installs an antivirus which it uses to keep the system clean. Unsurprisingly, the antivirus which the Trojan installs is KAV – specifically, a version of KAV for Wingate.
Up until now, most of the antivirus tools installed by trojans have been either rogue SpySheriff-like products or free disinfection tools like Microsoft’s MSRT. Which is why it’s really odd to see a real antivirus application being installed by a Trojan.
Detection for this thing is now available as Backdoor.Win32.Agent.uu.