Trojan.Win32.Agent.ezqu

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 48 650 bytes in size. It is written in Delphi.

Installation

Once launched, the Trojan moves its body into the file:

%APPDATA%\download2\svcnost.exe

To ensure that this file is launched automatically each time the system is rebooted, the following system registry key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"download" = "%APPDATA%\download2\svcnost.exe"

In addition, the file created is added to the list of applications trusted by Windows Firewall by creating the following system registry key:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"

Payload

Once launched, the Trojan establishes a connection with the malicious user's server:

ca-pdt.com

and sends this server the following information about the system:

• The name of the default browser installed in the system. This parameter is read from the following system registry key:

  [HKCU\Software\Classes\http\shell\open\command]
  The following values may be sent:
  IE
  Firefox
  Chrome
  Opera
  Mozila
  Safari
  Other
  

• Operating system version:

  WinNT3
  WinNT4
  Win95
  Win98
  WinME
  Win2000
  WinXP
  Win2003
  Win7
  Vista
  

• Information about antivirus software installed on the infected computer. This information is sent if there are any launched processes in the system with names containing the following substrings:

  avp.
  kav.
  nod32krn.
  ekrn.e
  mcshield.
  bdagent
  ofcdog
  srvload.e
  navapsvc.e
  ccsvchst.e
  spidernt.e
  dwengine.e
  winssui.e
  avastui.e
  avastsvc.ex
  avgrsx.e
  avgnt.e
  sched.e
  

  Depending on the processes found, the following values may be sent:

  KIS
  Nod32
  McAfee
  BitDefender
  TrendMicro
  Panda
  Norton
  OneCare
  Avast
  AVG
  Avira
  

After this, the Trojan downloads files from the above-mentioned server in an unending cycle. The downloaded files are saved in the directory:

%APPDATA%\download2

Once downloaded, the files are launched for execution. At the time of writing, the server was inactive.

Also, as part of its operations, the Trojan creates the system registry key:

[HKCU\Software\Microsoft]
"idln2" = "<rnd>"

where <rnd> is a random sequence of characters (for example, "msdgynwcq1vrubzyvdx13iyvs3vgcke").

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process. >liWhat is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "download" = "%APPDATA%\download2\svcnost.exe"
   
   [HKLM\System\CurrentControlSet\Services\SharedAccess\
   Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   "%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"
   
   [HKCU\Software\Microsoft]
   "idln2" = "<rnd>"
   

2. Delete the following file:

   %APPDATA%\download2\svcnost.exe

3. Delete the following directory and all of its contents:

   %APPDATA%\download2

4. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

Summary

• Trojan-Dropper. Hidden installation of other malicious programs in the system

• Trojan. Performs actions that are typical of malicious programs

• Implements network activity

• Performs potentially dangerous activity

Technical details

File size of 48650 bytes.

Installation

Makes copies of itself with the following names once launched:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tmp01011101101010
• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\download\svcnost.exe

Creates the following files on an infected computer:

• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\download2
• Windows system directory (usually, C:\Windows\System32) %System%\drivers\etc\hosts2

Malicious activity

Creates the following files:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\3554593.exe
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\3601125.exe

Launches files shown below for execution:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\3554593.exe
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\3601125.exe

Modifies (deletes) Windows system files:

• Windows system directory (usually, C:\Windows\System32) %System%\drivers\etc\hosts
  Description:
  ­Modifies the file HOSTS (%System%\drivers\etc\hosts), adding its own IP address / host name combinations. When calling the specified servers, the operating system detects the combinations in the HOSTS file and sends requests to a different IP address­

Adds the following programs This method allows the program to access the internet, evading some protection measuresto the list of trusted applications:

• <­path to source program­><­file of source program ­>

Connects to to the following Internet addresses:

• ***.78.240.211:20480
• ***.188.60.26:20480
• ***.188.60.175:20480
• ***.149.226.154:47873

Creates unique identifiers to flag its presence in the system

• gootkit

Uses the masks shown below to search for files on the victim machine:

• *.ini
• *.*

Other activities

Modifies the system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft ] "idln2" = "wngkc1jlopmayhqfzccuejjevzpyrgu"

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft ] "bk" = "ca-pdk.com/;"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "download" = "" Current user directory (usually, C:\Documents and Settings\) %UserDir%\Application Data\download2\svcnost.exe""

Description:
­Used to automatically run files when the Windows OS boots­

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM ] "Randseed_1" = "0xE520BE9"

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM ] "Randseed_2" = "0x32C4FAC9"

Deletes the following files on an infected computer:

• <­path to source program­><­file of source program ­>
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tmp01011101101010
• Windows system directory (usually, C:\Windows\System32) %System%\drivers\etc\hosts2