Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.dfqk
Trojan-Dropper.Win32.Agent.dfqk
| Detected | Oct 10 2010 04:56 GMT |
| Released | Oct 10 2010 12:41 GMT |
| Published | Mar 21 2011 08:46 GMT |
Payload
Removal instructions
Technical Details
This Trojan installs and launches other programs on the infected computer without the user's knowledge. It is a Windows application (PE EXE file). It is 24 576 bytes in size. It is packed using UPX. The unpacked file is approximately 47 KB in size. It is written in C++.
Payload
Once launched, the Trojan carries out the following actions:
- It extracts a file named "msdaozls.dll" from its body to the Windows system directory:
%System%\msdaozls.dll
This file is 36 865 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.xfck. This library is designed to steal passwords from user accounts for the game "World of Warcraft". - It launches the system utility "Rundll32.exe" with the following settings:
%System%\msdaozls.dll,w
Thereby, a function named "w" is called from the extracted library. - It searches in the system for a window with the class name "GxWindowClassD3d" and closes it, by sending the message WM_CLOSE.
- In its working directory, it creates a script for the command interpreter, launches it, and executes its task; this script deletes the original Trojan file and deletes itself.
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%System%\msdaozls.dll
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Trojan:
Generic. dx!ufo (McAfee) - Mal/Behav-290 (Sophos)
- Generic Trojan (Panda)
- PWS:
Win32/Frethog. MK (MS(OneCare)) - Trojan.
MulDrop1. 48828 (DrWeb) - Win32/PSW.
WOW. NOW trojan (Nod32) - Gen:
Trojan. Heur. RP. bmGfaK2WjNeb (BitDef7) - Trojan.
DR. Agent2!AzslG4mM6wQ (VirusBuster) - Win32:
Malware-gen (AVAST) - Virus.
Win32. Virut (Ikarus) - TR/Drop.
Raysun. A (AVIRA) - Trojan.
Gen (NAV) - W32/Malware.
OILH (Norman) - Trojan.
Win32. Generic. 5239FB25 (Rising) - Trojan-Dropper.
Win32. Agent. dfqk [AVP] (FSecure) - TSPY_FRETHOG.
SMZ (TrendMicro) - Trojan.
DR. Agent2!AzslG4mM6wQ (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.