Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.csxg
Trojan-Dropper.Win32.Agent.csxg
| Detected | Aug 17 2010 00:37 GMT |
| Released | Aug 17 2010 10:58 GMT |
| Published | Mar 22 2011 13:22 GMT |
Payload
Removal instructions
Technical Details
This Trojan installs other programs on the computer without the user's knowledge. It is a Windows application (PE EXE file). It is 40 960 bytes in size. It is packed using ASPack. The unpacked file is approximately 242 KB in size. It is written in C++.
Payload
Once launched, the Trojan carries out the following actions:
- It extracts from itself a file, which is then saved in the system as
%USERPROFILE%\Microsoft\smx4pnp.dll
(4608 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.kph") - It creates the following system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "smx4pnp" = "rundll32.exe "%USERPROFILE%\Microsoft\smx4pnp.dll", Launch"
Thereby, each time the system is rebooted, the "Launch" function will be called from the previously extracted library. - It launches the system utility "rundll32.exe" with the settings:
"%USERPROFILE%\Microsoft\smx4pnp.dll", Launch
- It terminates the process:
%System%\calc.exe
mo***lo.ina file named "s.txt" is requested; this file contains links for downloading files. Then, in a cycle, files are downloaded from the links obtained and launched for execution. The downloaded files are saved in the directory
%Temporary Internet Files%At the time of writing, these files could not be downloaded.
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the process "rundll32.exe".
- Delete the following file:
%USERPROFILE%\Microsoft\smx4pnp.dll
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "smx4pnp" = "rundll32.exe "%USERPROFILE%\Microsoft\ smx4pnp.dll", Launch"
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Trojan:
Generic Downloader. x!ebv (McAfee) - Mal/Taterf-B (Sophos)
- Trojan.
Agent-168956 (ClamAV) - Trj/Downloader.
MDW (Panda) - Trojan:
Win32/Malagent (MS(OneCare)) - Trojan.
Siggen2. 490 (DrWeb) - Win32/TrojanDownloader.
Agent. QCJ trojan (Nod32) - Trojan.
Generic. KD. 26878 (BitDef7) - Trojan.
DR. Agent. YJVL (VirusBuster) - Win32:
Malware-gen (AVAST) - Trojan-Dropper (Ikarus)
- Win32/NSAnti.
J (AVG) - TR/Dropper.
Gen (AVIRA) - Infostealer.
Gampass (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Trojan.
Win32. Generic. 522773F5 (Rising) - Trojan-Dropper.
Win32. Agent. csxg [AVP] (FSecure) - TROJ_DLOAD.
SMZD (TrendMicro) - BehavesLike.
Win32. Malware (v) (Sunbelt) - Trojan.
DR. Agent. YJVL (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.