Trojan.Win32.Agent.fw

Technical Details

When installed into the system, it connects to remote Command and Control center (C&C) every few minutes and receives additional instructions. It can be a command to download new malicious applications or various requests about stealing particular data from the infected computer.

Payload

• Use crypto library to encrypt connections and to connect to remote command center via HTTPS.
• Send data via random port number
• Deletes or steals security certificates from

  CurrentUser\ApplicationData\Microsoft\SystemCertificates\My\CTL, CurrentUser\ApplicationData\Microsoft\SystemCertificates\My\CRL, CurrentUser\ApplicationData\Microsoft\SystemCertificates\My\Certificates. 
  

• May disable some security features enforced by Group Policy,
• This malware infects computer by copying itself to random subdirectory of %Currentuser%\Application data\ directory using any of possible variants of system file names taken from SYSTEM32 folder. I.e. msg.exe, mshearts.exe, mshta.exe, msiexec.exe and so on.
• Creates new service value under “HKU\Software\Microsoft\Windows\CurrentVersion\Run” key. The path will point to the malicious file located in the %Curentuser%\Application Data\<random directory>
• In some cases it creates %Currentuser%\Application Data\Microsoft\Internet Explorer\setup.exe file that is a copy of itself
• Injects itself into EXPLORER.exe. So, it can run if at least 1 process with name “explorer.exe” is running in the system. When infected, the Explorer.exe connects to remote host for receiving new commands.
• Tries to write itself to burnable CD or BlueRay.
• Provides remote access to infected system and sends spam to some target on particular date

Prevention

• We suggest running WindowsUpdate, JavaUpdate and AdobeUpdate to install the latest patches and protect that system from possible exploits. In the past there were many Java RTM & Adobe vulnerabilities reported. The infection was possible if this customer did not run updaters for a while.
• Another possible way to get infection is misconfigured open shares. We suggest to review remote file shares that this system accessing to or shared folders on this computer. It can be possible, that this system has open shares configured to FULL ACCESS to EVERYONE. In this case local files can be accessible from other systems that lead to infection. If this happens, I would suggest installing EP8 on all other systems and rescanning them all.

Removal instructions

1. Using the Task Manager terminate all processes with name “explorer.exe”
2. Start Regedit from the Task Manager and do the following:
   • Temporary rename “HKU\Software\Microsoft\Windows\CurrentVersion\Run” key (to something like HKU\Software\Microsoft\Windows\CurrentVersion\Saved_Run_Key) and reboot the system.
3. After the system boots, please rescan c:\Document and Settings\ folders including all subfolders.
4. Manually review content of the following directories and send any suspicious file to newvirus. The suspicious file may have a name as one of the executables from the %system32% folder.

   CurrentUser\ApplicationData\Microsoft\SystemCertificates\My\CTL, CurrentUser\ApplicationData\Microsoft\SystemCertificates\My\CRL, CurrentUser\ApplicationData\Microsoft\SystemCertificates\My\Certificates
   

5. Rename HKU\Software\Microsoft\Windows\CurrentVersion\Save_Run_Key back to …\Run.