Trojan.Win32.Agent.fadd

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 49 162 bytes in size. It is written in Delphi.

Installation

Once launched, the Trojan moves its body into the file:

%APPDATA%\download2\svcnost.exe

To ensure that this file is launched automatically each time the system is rebooted, the following system registry key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"download" = "%APPDATA%\download2\svcnost.exe"

In addition, the file created is added to the list of applications trusted by Windows Firewall by creating the following system registry key:

[HKLM\System\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"

Payload

Once launched, the Trojan establishes a connection with the malicious user's server:

ca***dt.com

and sends this server the following information about the system:

• The name of the default browser installed in the system. This parameter is read from the following system registry key:

  [HKCU\Software\Classes\http\shell\open\command]
  

  The following values may be sent:

  IE
  Firefox
  Chrome
  Opera
  Mozila
  Safari
  Other
  

• Operating system version:

  WinNT3
  WinNT4
  Win95
  Win98
  WinME
  Win2000
  WinXP
  Win2003
  Win7
  Vista
  

• Information about antivirus software installed on the infected computer. This information is sent if there are any launched processes in the system with names containing the following substrings:

  avp.
  kav.
  nod32krn.
  ekrn.e
  mcshield.
  bdagent
  ofcdog
  srvload.e
  navapsvc.e
  ccsvchst.e
  spidernt.e
  dwengine.e
  winssui.e
  avastui.e
  avastsvc.ex
  avgrsx.e
  avgnt.e
  sched.e
  

  Depending on the processes found, the following values may be sent:

  KIS
  Nod32
  McAfee
  BitDefender
  TrendMicro
  Panda
  Norton
  OneCare
  Avast
  AVG
  Avira
  

After this, the Trojan downloads files from the above-mentioned server in an unending cycle. The downloaded files are saved in the directory:

%APPDATA%\download2

Once downloaded, the files are launched for execution. At the time of writing, the server was inactive.

Also, as part of its operations, the Trojan creates the system registry key:

[HKCU\Software\Microsoft]
"idln2" = "<rnd>"

where <rnd> is a random sequence of characters (for example, "msdgynwcq1vrubzyvdx13iyvs3vgcke").

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the following system registry keys (see What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "download" = "%APPDATA%\download2\svcnost.exe"
   
   [HKLM\System\CurrentControlSet\Services\SharedAccess\
   Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   "%APPDATA%\download2\svcnost.exe" = "%APPDATA%\download2\svcnost.exe:*:Enabled:ldrsoft"
   
   [HKCU\Software\Microsoft]
   "idln2" = "<rnd>"
   

3. Delete the following file:

   %APPDATA%\download2\svcnost.exe

4. Delete the following directory and all of its contents:

   %APPDATA%\download2

5. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).