English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.fajk

Detected Aug 31 2010 08:22 GMT
Released Aug 31 2010 16:29 GMT
Published Sep 19 2011 12:01 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a Windows application (PE-EXE file). 6656 bytes. Written in C++.

Installation

After launching, the trojan copies its body to the following file:

C:\Program Files\Common Files\seria.exe
The created copy is then launched for execution.

To delete the original file after shutting down, the trojan creates the shell script "Del.bat" in the current user temporary file directory "%Temp%" with the following content:

@ping -n 3 127.0.0.1>nul
@del /F /Q "<full path to the original trojan file>"
@del /F /Q "<full path to the original trojan file>"
@exit
The created script is then launched for execution. The script file is also deleted.


Payload

After launching, the trojan carries out the following actions:

  • it creates a shell script
    C:\Program Files\Regrun.dat
    C:\Program Files\Regrun.bat
    as follows:
    @reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"  /v 36OSafeUpdate /t REG_SZ /d "C:\Program Files\Common Files\seria.exe" /f
    
  • It runs the created script "Regrun.bat", which creates a system registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "36OSafeUpdate" = "C:\Program Files\Common Files\seria.exe"
    
    The trojan is therefore automatically launched every time the system is started.
  • It deletes the following file:
    C:\Program Files\Regrun.bat
  • To control the uniqueness of its process within the system, it creates unique identifiers under the following names:
    mutex_reboot_down
    mutex_cpa_.la
    
  • It informs the attacker of the successful infection of the system by opening the following link:
    http://vip.h***i2.com:882/admin/count.php?isOnline=1
  • It stops the Windows Firewall service by running the command:
    net stop sharedaccess
  • It creates the following directory in the D drive root:
    d:\WinsUp
  • It downloads a list of URLs from the attacker's server to download the files to the infected computer from the following link:
    http://list.h***i2.com:6668/Down/list.txt
    The downloaded data is saved in the following file:
    c:\Program Files\nowlist2.dat
  • It reads the links from "nowlist2.dat" and downloads the files. The files are saved under the following names:
    d:\WinsUp\kb75818<rnd>.exe
    where <rnd> is random numbers.

    After successful download, the files are launched for execution. These links did not work when creating the description.


    Removal instructions

    If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

    1. Using Task Manager, end the process "seria.exe".
    2. Delete the following files:
      C:\Program Files\Common Files\seria.exe
      C:\Program Files\Regrun.dat
      c:\Program Files\nowlist2.dat
      
    3. Delete the system registry key (how to work with the registry?):
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
      "36OSafeUpdate" = "C:\Program Files\Common Files\seria.exe"
      
    4. Delete the directory and all of its contents:
      d:\WinsUp
    5. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
    6. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


    MD5: 1F693C2BE49A744D2DE5D32296B6F0D1
    SHA1: 0F9C2A11733CA55403CD60F56F19EC17FE53644F


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.fajk (Kaspersky Lab) is also known as:

  • Mal/Behav-291 (Sophos)
  • Heuristics.Broken.Executable (ClamAV)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Downloader-Tir!Eldorado (FPROT)
  • TrojanDownloader:Win32/Chekafe.C (MS(OneCare))
  • Trojan.Siggen2.5338 (DrWeb)
  • Win32/TrojanDownloader.Small.OTY trojan (Nod32)
  • Win32.Patched.Mebratix.A (BitDef7)
  • Win32:Patched-VD [Trj] (AVAST)
  • Trojan.Win32.Agent (Ikarus)
  • Agent2.CJCG (AVG)
  • Suspicious.MH690 (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Mal_DLDER (TrendMicro)