Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.bc
Trojan-Dropper.Win32.Agent.bc
| Detected | Oct 17 2004 11:51 GMT |
| Released | Oct 17 2004 11:51 GMT |
| Published | Apr 03 2006 11:26 GMT |
Payload
Removal instructions
Technical Details
The Trojan program installs other files and programs to the victim machine without the user's knowledge or consent. The main Trojan file is a Windows PE EXE file 153719 bytes in size, packed using UPX. The unpacked file is approximately 222KB in size.
Payload
When launched, the Trojan creates a folder called "Winad Client" and drops the follwoing files to this folder:
- %Program Files%\Winad Client\ClientCom.dll
776800 bytes in size
this file will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.WinAD.a - %Program Files%\Winad Client\Info.txt
1720 bytes in size - %Program Files%\Winad Client\Winad.exe
24064 bytes in size
This file will detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.WinAD - %Program Files%\Winad Client\WinClt.exe
12915 bytes in size
This file will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.CaptainCode.a
The Winad.exe file will be registered in the system registry in order to ensure that it is launched each time Windows is rebooted on the victim machine.
"Winad Client"="%Program Files%\Winad Client\Winad.exe"
The files dropped to the victim machine will then be launched for execution.
Removal instructions
- Delete the following folder and all files that the folder contains:
%Program Files%\Winad Client\
- Delete the original Trojan file (the location of this file depends on how the victim machine became infected).
- Perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- TrojanDropper.
Win32. Agent. bc (Kaspersky Lab) - App:
Adware-WinAd (McAfee) - Mal/TinyDL-J (Sophos)
- Trojan.
Small-3 (ClamAV) - Adware/WUpd (Panda)
- W32/Agent.
AGX (FPROT) - TrojanDownloader:
Win32/Winupdt. A. dr (MS(OneCare)) - Adware.
Winad (DrWeb) - Win32/TrojanDropper.
Agent. BC trojan (Nod32) - Trojan.
Dropper. Agent. BC (BitDef7) - Trojan.
DR. Agent. HN (VirusBuster) - Win32:
Adan-002 [Adw] (AVAST) - Win32.
SuspectCrc (Ikarus) - Dropper.
Agent. BC (AVG) - TR/LowZones.
A. 3 (AVIRA) - Download.
Adware (NAV) - Trojan.
DL. Agent. fc (Rising) - ADW_WINAD (TrendMicro)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.