Počet zobrazení stránky

pátek 6. dubna 2012

Trojan-Dropper.Win32.Agent.dcbd


Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 70 656 bytes in size. It is written in C++.

Payload

Once launched, the Trojan performs the following actions:
  • It extracts files from its body and saves them in the system as:
    %System%\<rnd1>.dll
    (56 320 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Agent.eiyv") This library exports the function "Execute", which is designed to block antivirus programs such as the following on the infected system:
    McAfee
RAV AntiVirus
ESET NOD32
    It blocks them by stopping their respective services, deleting system registry keys, and terminating the processes of certain libraries in the address space.
    %System%\<rnd2>.dll
    (8704 bytes; detected by kaspersky Anti-Virus as "Trojan-Downloader.Win32.Agent.dxqs")
    The library exports the "Execute" function, which downloads files from the Internet. The downloaded files are saved in the "%Temp%" directory. When this function is performed, the following system registry autorun key is created in a separate thread in an endless cycle:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"system" = "%System%\system.exe"
    This ensures that "%System%\system.exe" is launched automatically each time the system is restarted.
    where <rnd1> and <rnd2> are random strings of letters (for example: "ugkreaca" and "xonbecca").
  • It launches the system utility "rundll32.exe" with the following parameters:
    %System%\<rnd1>.dll Execute
%System%\<rnd2>.dll Execute
    This way, functions named "Execute" are called from the extracted libraries.
  • It moves its body to the file:
    %System%\system.exe
The Trojan then ceases running.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
  1. Delete the following files:
    %System%\<rnd1>.dll 
%System%\<rnd2>.dll 
%System%\system.exe
  2. Reboot the computer or terminate the process containing the Trojan library in its address space.
  3. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"system" = "%System%\system.exe"
Vystavil v
Štítky:

Žádné komentáře:

Okomentovat

Přihlásit se k odběru: Komentáře k příspěvku (Atom)