English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.eory

Detected Jul 18 2010 14:59 GMT
Released Jul 19 2010 06:31 GMT
Published Mar 22 2011 09:27 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 26 625 bytes in size. It is written in C++.

Installation

The Trojan copies its body to the Windows system directory as "iqum.tco":

%System%\iqum.tco
In order to ensure that it is launched automatically when the system is rebooted, the Trojan adds an entry to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe rundll32.exe iqum.tco lqpjxwe"

Payload

If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:

[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"Level" = "1"
"AccessVBOM" = "1"
It also executes a macro, through which the original body of the Trojan is launched for execution.

To ensure that its process is unique within the system, the Trojan creates a unique identifier:

54774082920a5dc9d
Then, the Trojan creates a process named "svchost.exe" and injects its malicious code into the process's address space:
svchost.exe
The Trojan sends a request to the following address:
http://repu***cracy.cn/myxxx/bb.php
At the time of writing, this link was inactive.

In response, it receives a configuration file for its subsequent functionality.

Links received from the configuration file for downloading other malicious files are saved by the Trojan in the following registry key:

[HKCR\idid]


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    %System%\iqum.tco
  3. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?): %Temporary Internet Files%
  4. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKCR\idid]
  5. If necessary, restore the values of the "Level" and "AccessVBOM" parameters in the system registry key (see What is a system registry and how do I use it?):
    [HKCU\Software\Microsoft\Office\11.0\Word\Security]
    "Level"
    "AccessVBOM"
    
  6. Restore the value of the system registry key parameter to the following (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe"
    
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.eory (Kaspersky Lab) is also known as:

  • Trojan: BackDoor-ELD (McAfee)
  • Mal/Sasfis-D (Sophos)
  • Trojan.Agent-131201 (ClamAV)
  • Generic Trojan (Panda)
  • W32/Trojan2.KQQE (FPROT)
  • Trojan:Win32/Oficla.E (MS(OneCare))
  • Trojan.Siggen.38511 (DrWeb)
  • Trojan.Generic.2782579 (BitDef7)
  • Trojan.Agent!42Xk7vZejiM (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Trojan.Win32.Oficla (Ikarus)
  • Agent2.ABCJ (AVG)
  • Trojan Horse (NAV)
  • W32/Oficla.O (Norman)
  • Trojan.Win32.Generic.11F0C403 (Rising)
  • Trojan.Win32.Agent.eory [AVP] (FSecure)
  • TROJ_SASFIS.SMA (TrendMicro)
  • Trojan.Win32.Sasfis.a (v) (Sunbelt)
  • Trojan.Agent!42Xk7vZejiM (VirusBusterBeta)