Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.cxdv
Trojan-Dropper.Win32.Agent.cxdv
| Detected | Sep 01 2010 10:58 GMT |
| Released | Sep 02 2010 11:10 GMT |
| Published | Oct 20 2010 12:26 GMT |
Payload
Removal instructions
Technical Details
This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 38400 bytes in size. It is written in C++.
Installation
Once activated, the Trojan copies its body and saves it to the Windows system directory as "fvfj.sxo":
%System%\fvfj.sxoIn order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds the following link to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe rundll32.exe fvfj.sxo trsnl"
Payload
Once launched, the Trojan decrypts and extracts from its body the following file to the current user's temporary directory:
%Temp%Where.tmp
This file is 20480 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Agent2.lom.
After this the Trojan uploads the extracted file to its address space and launches its malware code which performs the following destructive actions:
- If Microsoft Office is installed on the user's computer, the Trojan will set the security level to low, entering the following values to the system registry key:
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" = "1" "AccessVBOM" = "1"
And performs the macros, which it uses to run the original body of the Trojan. - In order to flag its presence in the system, the Trojan creates a unique identifier:
249305880edc1b18
- It creates a process named "svchost.exe" and integrates the malicious code into it:
svchost.exe
- The Trojan sends a request to the following address:
http://****m5.ru/bmw/bb.php
And receives a configuration file to carry out further actions. - The Trojan saves download links for other malicious files received from the configuration file in the following registry key:
[HKCR\idid]
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%Temp%\<rnd1>.tmp %System%\fvfj.sxo
Where <rnd1> stands for a random set of digits and Latin letters. - Delete all Temporary Internet Files, which may contain infected files (How to delete infected files from the Temporary Internet File directory):
%Temporary Internet Files%
- Delete the following system registry key: (see What is a system registry and how do I use it?for details on how to edit the registry):
[HKCR\idid]
- If necessary, restore values for "Level" and "AccessVBOM" parameters in the system registry key (What is a system registry and how do I use it?):
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" "AccessVBOM"
- Restore parameter value for the system registry key for the following (What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe"
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Trojan:
Spam-Mailbot. ab (McAfee) - Troj/Agent-OOP (Sophos)
- Trojan.
Dropper-26195 (ClamAV) - Trj/Agent.
NZG (Panda) - W32/Trojan3.
BZH (FPROT) - TrojanDropper:
Win32/Oficla. T (MS(OneCare)) - Trojan.
Packed. 21143 (DrWeb) - Win32/Oficla.
IE trojan (Nod32) - Trojan.
Oficla. AF (BitDef7) - Trojan.
Oficla!y4YY9F+emaI (VirusBuster) - Win32:
Malware-gen (AVAST) - Trojan.
Win32. Oficla (Ikarus) - FakeAV.
CZQ (AVG) - TR/Spy.
ZBot. EK (AVIRA) - Trojan.
Sasfis (NAV) - W32/Agent.
UYCQ (Norman) - Trojan.
Win32. Generic. 522E275D (Rising) - Trojan-Dropper.
Win32. Agent. cxdv [AVP] (FSecure) - TROJ_BREDOLAB.
DI (TrendMicro) - Trojan.
Oficla!y4YY9F+emaI (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.