DataLife Engine > Trojan > Trojan-Dropper.Win32.Agent.albv

Trojan-Dropper.Win32.Agent.albv


13-07-2010, 07:38. Author: admin

Payload

The Trojan adds its executable file to the Windows firewall list of trusted applications. It then launches the “iexplore.exe” process and injects its code into this process.

It also attempts to terminate the following processes:

avesvc.exe
ashdisp.exe
avgrsx.exe
bdss.exe
spider.exe
avp.exe
nod32krn.exe
cclaw.exe
dvpapi.exe
ewidoctrl.exe
mcshield.exe
pavfires.exe
almon.exe
ccapp.exe
pccntmon.exe
fssm32.exe
issvc.exe
vsmon.exe
cpf.exe
ca.exe
tnbutil.exe
avp.exe
mpfservice.exe
npfmsg.exe
outpost.exe
tpsrv.exe
pavfires.exe
kpf4ss.exe
persfw.exe
vsserv.exe
smc.exe

It also attempts to disable the following services associated with antivirus and firewall programs:

AntiVir
Avast Antivirus
AVG Antivirus
BitDefender
Dr.Web
Kaspersky Antivirus
Nod32
Norman
Authentium Antivirus
Ewido Security Suite
McAfee VirusScan
Panda Antivirus/Firewall
Sophos
Symantec/Norton
PC-cillin Antivirus
F-Secure
Norton Personal Firewall
ZoneAlarm
Comodo Firewall
eTrust EZ Firewall
F-Secure Internet Security
Kaspersky Antihacker
McAfee Personal Firewall
Norman Personal Firewall
Outpost Personal Firewall
Panda Internet Seciruty Suite
Panda Anti-Virus/Firewall
Kerio Personal Firewall
Tiny Personal Firewall
BitDefender / Bull Guard Antivirus
Sygate Personal Firewall

The Trojan also harvests passwords to web sites saved to the cache of the browsers shown below:

Mozilla FireFox
Internet Explorer

It also harvests passwords and account data for the following IM clients:

Trillian
Miranda
Yahoo Messenger
MySpace IM
Gaim

The Trojan has a built-in keylogger and can make screenshots of the user’s desktop. These screenshots are saved to the Temporary directory as <N> with <N> being a decimal number.

Harvested data is sent to the malicious user’s server:

212.158.160.***

Propagation via removable media

The Trojan copies its executable file to the root of each removable drive under the following name:

<X>:\wlan.exe, with X being the disk

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

<X>:\autorun.inf

This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WSVCHO" = "%WinDir%\system\svhost.exe"
  4. Delete the following file:
    %WinDir%\system\svhost.exe
  5. Empty the temporary directory (%Temp%).
  6. Delete the files shown below from all removable storage media:
    <X>:\autorun.inf
    <X>:\wlan.exe,
    with X being the disk
Back