English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.ezqu

Detected Aug 27 2010 10:21 GMT
Released Aug 27 2010 17:30 GMT
Published Mar 25 2011 08:18 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 48 650 bytes in size. It is written in Delphi.

Installation

Once launched, the Trojan moves its body into the file:

%APPDATA%\download2\svcnost.exe
To ensure that this file is launched automatically each time the system is rebooted, the following system registry key is created:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"download" = "%APPDATA%\download2\svcnost.exe"
In addition, the file created is added to the list of applications trusted by Windows Firewall by creating the following system registry key:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"


Payload

Once launched, the Trojan establishes a connection with the malicious user's server:

ca-pdt.com
and sends this server the following information about the system:
  • The name of the default browser installed in the system. This parameter is read from the following system registry key:
    [HKCU\Software\Classes\http\shell\open\command]
    The following values may be sent:
    IE
    Firefox
    Chrome
    Opera
    Mozila
    Safari
    Other
    
  • Operating system version:
    WinNT3
    WinNT4
    Win95
    Win98
    WinME
    Win2000
    WinXP
    Win2003
    Win7
    Vista
    
  • Information about antivirus software installed on the infected computer. This information is sent if there are any launched processes in the system with names containing the following substrings:
    avp.
    kav.
    nod32krn.
    ekrn.e
    mcshield.
    bdagent
    ofcdog
    srvload.e
    navapsvc.e
    ccsvchst.e
    spidernt.e
    dwengine.e
    winssui.e
    avastui.e
    avastsvc.ex
    avgrsx.e
    avgnt.e
    sched.e
    
    Depending on the processes found, the following values may be sent:
    KIS
    Nod32
    McAfee
    BitDefender
    TrendMicro
    Panda
    Norton
    OneCare
    Avast
    AVG
    Avira
    
After this, the Trojan downloads files from the above-mentioned server in an unending cycle. The downloaded files are saved in the directory:
%APPDATA%\download2
Once downloaded, the files are launched for execution. At the time of writing, the server was inactive.

Also, as part of its operations, the Trojan creates the system registry key:

[HKCU\Software\Microsoft]
"idln2" = "<rnd>"
where <rnd> is a random sequence of characters (for example, "msdgynwcq1vrubzyvdx13iyvs3vgcke").


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process. >liWhat is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "download" = "%APPDATA%\download2\svcnost.exe"
    
    [HKLM\System\CurrentControlSet\Services\SharedAccess\
    Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"
    
    [HKCU\Software\Microsoft]
    "idln2" = "<rnd>"
    
  2. Delete the following file:
    %APPDATA%\download2\svcnost.exe
  3. Delete the following directory and all of its contents:
    %APPDATA%\download2
  4. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
  5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.ezqu (Kaspersky Lab) is also known as:

  • Mal/Agent-DN (Sophos)
  • Trojan.Agent-168913 (ClamAV)
  • Trojan:Win32/Oficla.T (MS(OneCare))
  • Trojan.Packed.20874 (DrWeb)
  • Win32/Kryptik.GFY trojan (Nod32)
  • Trojan.Generic.KD.27460 (BitDef7)
  • TrojanSpy.Wemon!mgIUSs4bXxM (VirusBuster)
  • Win32:Crypt-HKR [Trj] (AVAST)
  • Trojan-Spy.Win32.Wemon (Ikarus)
  • PSW.Generic8.MTN (AVG)
  • TR/Crypt.XPACK.Gen (AVIRA)
  • Trojan.GootKit (NAV)
  • Trojan.Win32.Agent.ezqu [AVP] (FSecure)
  • TrojanSpy.Wemon!mgIUSs4bXxM (VirusBusterBeta)