Trojan-Dropper.Win32.Agent.crbk

Technical Details

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 27 136 bytes in size. It is written in C++.

Payload

Once launched, the Trojan extracts the following file from its resources to the current user's temporary directory:

%Temp%<rnd1>.vbs

This file is 2967 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Downloader.VBS.Agent.aae.

The Trojan then launches the extracted file, deletes its original body, and ceases running.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
2. Delete the following files:

   %Temp%\<rnd>.tmp

   where <rnd> is a random set of numbers and letters.
3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 681A4D8A9AFFC01C0D820235C86F0982
SHA1: 24E78E1E1D8C6C0E5C28F47BF40A22FF6FB70D5F

Summary

• Trojan-Dropper. Hidden installation of other malicious programs in the system

Technical details

File size of 27136 bytes.

Malicious activity

Creates the following files:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\4c1bb57a.vbs (­Kaspersky Anti-Virus detects as­ Trojan-Downloader.VBS.Agent.aae)

Launches files shown below for execution:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\4c1bb57a.vbs

Other activities

Deletes the following files on an infected computer:

• <­path to source program­><­file of source program ­>