English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Trojan-Dropper.Win32.Agent.sd

Trojan-Dropper.Win32.Agent.sd

Detected	Aug 17 2005 15:53 GMT
Released	Aug 17 2005 15:53 GMT
Published	Oct 25 2007 16:27 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan program masks its presence in the system from users and from other programs. It is a Windows PE SYS file. It is 4384 bytes in size. It is not packed in any way. It is written in C.

Installation

This malicious program will be installed to the victim machine together with other malicious programs. It is used to hide the activity of other malicious programs in the system.

When launched, the program copies itself to the Windows system directory:

%System%\nso12k.sys

It adds the following key to the system registry:

[HKLM\System\CurrentControlSet\Services\Driver]
"ImagePath" = "%System%\nso12k.sys"

Payload

This malicious program functions as an IP Filter Driver and filters the user’s Internet traffic. It uses object functionality in ntoskrnl.exe and ndis.sys in order to do this.

The program also makes the activity of other malicious programs in the system, making it possible for such programs to gain unhindered access to the Internet.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the following system registry key value:

[HKLM\System\CurrentControlSet\Services\Driver]
"ImagePath" = "%System%\nso12k.sys"

Reboot the computer.
Delete the following file:
%System%\nso12k.sys
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Trojans

Trojan-Dropper

Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.

This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).

Such programs are used by hackers to:

secretly install Trojan programs and/or viruses
protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.

Other versions

Trojan-Dropper.Win32.Agent.aaj

Trojan-Dropper.Win32.Agent.adi

Trojan-Dropper.Win32.Agent.aga

Trojan-Dropper.Win32.Agent.albv

Trojan-Dropper.Win32.Agent.ate

Trojan-Dropper.Win32.Agent.bc

Trojan-Dropper.Win32.Agent.bgn

Trojan-Dropper.Win32.Agent.bot

Trojan-Dropper.Win32.Agent.csxg

Trojan-Dropper.Win32.Agent.cwsh

Trojan-Dropper.Win32.Agent.cwsw

Trojan-Dropper.Win32.Agent.cxdv

Trojan-Dropper.Win32.Agent.delm

Trojan-Dropper.Win32.Agent.dfqk

Trojan-Dropper.Win32.Agent.dvyh

Trojan-Dropper.Win32.Agent.vw

Aliases

Trojan-Dropper.Win32.Agent.sd (Kaspersky Lab) is also known as:

Trojan.Downloader.Small-3219 (ClamAV)
Heuristic.WinPE-Statistical (Panda)

Service name:	WINSERVICEMNG
Displayed service name:	WINSERVICEMNG
Startup parameters	Windows directory (usually, C:\Windows)%Windir%\winmng.exe
Startup type:	automatic

Trojan-Dropper.Win32.Agent.sd

Technical Details

Installation

Payload

Removal instructions

Summary

Technical details

Installation

Other activities

kaspersky.com

securelist.com