|Detected||Aug 30 2010 17:57 GMT|
|Released||Aug 31 2010 04:12 GMT|
|Published||Mar 24 2011 10:44 GMT|
This Trojan installs other programs on the computer without the user's knowledge. It is a Windows application (PE EXE file). It is 37 376 bytes in size. It is written in C++.
Once launched, the Trojan carries out the following actions:
%System%\msapps\comsrvr.exe(29 696 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Agent.eljy")
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "COMServer" = "%System%\msapps\comsrvr.exe"This ensures that the file "comsrvr.exe" will be launched automatically each time the system is rebooted.
The launched Trojan ("Trojan-Downloader.Win32.Agent.eljy") executes the functionality of a downloader. A connection is established with the following servers:
ccooo***o.cc cccooo***o.ccHTTP requests in the following format are sent to the above-mentioned hosts:
GET favicon.ico HTTP/1.1 Host: bcProxyBot.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg Accept-Language: en-us UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 22.214.171.124) Cookie: 000C29CBBE24<computer name>In response to the request, the server sends a file, which the Trojan saves in the current user's temporary files directory "%Temp%" under a random name. Once downloaded, the file is launched for execution.
File downloading takes place in a cycle every 60 seconds.
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "COMServer" = "%System%\msapps\comsrvr.exe"
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to: