Trojan.Win32.Agent.fajk

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a Windows application (PE-EXE file). 6656 bytes. Written in C++.

Installation

After launching, the trojan copies its body to the following file:

C:\Program Files\Common Files\seria.exe

The created copy is then launched for execution.

To delete the original file after shutting down, the trojan creates the shell script "Del.bat" in the current user temporary file directory "%Temp%" with the following content:

@ping -n 3 127.0.0.1>nul
@del /F /Q "<full path to the original trojan file>"
@del /F /Q "<full path to the original trojan file>"
@exit

The created script is then launched for execution. The script file is also deleted.

Payload

After launching, the trojan carries out the following actions:

• it creates a shell script

  C:\Program Files\Regrun.dat
  C:\Program Files\Regrun.bat
  as follows:
  @reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"  /v 36OSafeUpdate /t REG_SZ /d "C:\Program Files\Common Files\seria.exe" /f
  

• It runs the created script "Regrun.bat", which creates a system registry key:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  "36OSafeUpdate" = "C:\Program Files\Common Files\seria.exe"
  

  The trojan is therefore automatically launched every time the system is started.
• It deletes the following file:

  C:\Program Files\Regrun.bat

• To control the uniqueness of its process within the system, it creates unique identifiers under the following names:

  mutex_reboot_down
  mutex_cpa_.la
  

• It informs the attacker of the successful infection of the system by opening the following link:

  http://vip.h***i2.com:882/admin/count.php?isOnline=1

• It stops the Windows Firewall service by running the command:

  net stop sharedaccess

• It creates the following directory in the D drive root:

  d:\WinsUp

• It downloads a list of URLs from the attacker's server to download the files to the infected computer from the following link:

  http://list.h***i2.com:6668/Down/list.txt

  The downloaded data is saved in the following file:

  c:\Program Files\nowlist2.dat

• It reads the links from "nowlist2.dat" and downloads the files. The files are saved under the following names:

  d:\WinsUp\kb75818<rnd>.exe

  where <rnd> is random numbers.

  After successful download, the files are launched for execution. These links did not work when creating the description.

  
  

  Removal instructions

  If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using Task Manager, end the process "seria.exe".
  2. Delete the following files:

     C:\Program Files\Common Files\seria.exe
     C:\Program Files\Regrun.dat
     c:\Program Files\nowlist2.dat
     

  3. Delete the system registry key (how to work with the registry?):

     [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
     "36OSafeUpdate" = "C:\Program Files\Common Files\seria.exe"
     

  4. Delete the directory and all of its contents:

     d:\WinsUp

  5. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  6. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
  
  

  MD5: 1F693C2BE49A744D2DE5D32296B6F0D1
  SHA1: 0F9C2A11733CA55403CD60F56F19EC17FE53644F