English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→Trojan-Downloader.Win32.Agent.ehcj

Trojan-Downloader.Win32.Agent.ehcj

Detected	Aug 15 2010 02:18 GMT
Released	Aug 15 2010 10:16 GMT
Published	Mar 16 2011 10:05 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 85 504 bytes in size. It is written in Delphi.

Payload

Once launched, the Trojan carries out the following actions:

It opens this link in the default browser:
```
http://www.i***s.gov/pub/irs-pdf/f941.pdf
```
At the time of writing, a PDF document of 204 558 bytes in size was downloaded from this link.

It modifies the following system registry key values:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"TaskbarNoNotification" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
"EnableBalloonTips" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System]
"EnableLUA" = "0"

This results in the disabling of pop-up notifications in the notification area, screen tips, and User Account Control (UAC).

It downloads files from the following links:

http://www.ps***rzedborz.pl/1.jpg
http://www.ps***rzedborz.pl/2.jpg
http://www.ps***rzedborz.pl/ChilkatCert_NT4.dll
http://www.ps***rzedborz.pl/extract_cert.exe

The downloaded files are correspondingly saved in the system as:

%System%\AcroIEHelper.dll
%System%\ChilkatCert_NT4.dll
%System%\extract_cert.exe

At the time of writing, these links were inactive.

It uses the system utility "regsvr32.exe" to register the previously downloaded library "AcroIEHelper.dll" in the system.
It launches the downloaded file "extract_cert.exe".

The Trojan then ceases running.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).

Delete the following files:

%System%\AcroIEHelper.dll
%System%\ChilkatCert_NT4.dll
%System%\extract_cert.exe

Restore the original system registry key values (see What is a system registry and how do I use it?):

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer]
"TaskbarNoNotification" 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced]
"EnableBalloonTips" 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
System]
"EnableLUA"

Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Print

Share

Malicious programs

Trojans

Trojan-Downloader

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.

Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).

This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.

Other versions

Trojan-Downloader.Win32.Agent.ac

Trojan-Downloader.Win32.Agent.ahoe

Trojan-Downloader.Win32.Agent.alr

Trojan-Downloader.Win32.Agent.bgol

Trojan-Downloader.Win32.Agent.bl

Trojan-Downloader.Win32.Agent.bq

Trojan-Downloader.Win32.Agent.brit

Trojan-Downloader.Win32.Agent.bvz

Trojan-Downloader.Win32.Agent.cvow

Trojan-Downloader.Win32.Agent.dlyf

Trojan-Downloader.Win32.Agent.ecwi

Trojan-Downloader.Win32.Agent.ed

Trojan-Downloader.Win32.Agent.ejui

Trojan-Downloader.Win32.Agent.ekbl

Trojan-Downloader.Win32.Agent.elej

Trojan-Downloader.Win32.Agent.eljy

Trojan-Downloader.Win32.Agent.elrc

Trojan-Downloader.Win32.Agent.fdi

Trojan-Downloader.Win32.Agent.fk

Trojan-Downloader.Win32.Agent.fpp

Trojan-Downloader.Win32.Agent.fqbf

Trojan-Downloader.Win32.Agent.fwcp

Trojan-Downloader.Win32.Agent.gdmw

Trojan-Downloader.Win32.Agent.mee

Trojan-Downloader.Win32.Agent.pj

Trojan-Downloader.Win32.Agent.qlh

Trojan-Downloader.Win32.Agent.rs

Trojan-Downloader.Win32.Agent.td

Trojan-Downloader.Win32.Agent.tuc

Trojan-Downloader.Win32.Agent.uj

Trojan-Downloader.Win32.Agent.zf

Aliases

Trojan-Downloader.Win32.Agent.ehcj (Kaspersky Lab) is also known as:

Trojan: Generic Downloader.x!ebu (McAfee)
Mal/Generic-L (Sophos)
Generic Trojan (Panda)
W32/Delfloader.B.gen!Eldorado (FPROT)
TrojanDownloader:Win32/Nimkey.A (MS(OneCare))
Trojan.DownLoad2.15075 (DrWeb)
Win32/Spy.Delf.OJO trojan (Nod32)
Trojan.Nimkey.A (BitDef7)
Trojan.DL.Agent!BL3bIY4AzTU (VirusBuster)
Win32:Spyware-gen [Spy] (AVAST)
Trojan-Downloader.Win32.Small (Ikarus)
PSW.Generic8.KYM (AVG)
TR/Dldr.Delphi.Gen (AVIRA)
Infostealer.Nimkey (NAV)
Suspicious_Gen.KSCH (Norman)
Trojan.Win32.Generic.52283F03 (Rising)
Trojan-Downloader.Win32.Agent.ehcj [AVP] (FSecure)
TROJ_DLOAD.TZ (TrendMicro)
Trojan-Downloader.Win32.Small (Sunbelt)
Trojan.DL.Agent!BL3bIY4AzTU (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com