Trojan.MSIL.Agent.azy

Technical Details
Payload
Removal instructions

Technical Details

This malicious program provides a malicious user with remote access to the infected computer. It is a Windows .NET application (PE EXE file) and is 39 424 bytes in size.

Payload

Once launched, the backdoor establishes a connection with this server:

in***aca.com

A combination of the following strings is used as a login and password:

zxm1987
1
123
1234
12345
123456
12345678
admin

Other malicious programs may be downloaded from the above-mentioned server to the user's computer. In addition, following a command received from the malicious user's server, the backdoor may perform the following actions:

• Use MS SQL Server tools (calling the stored procedures "xp_regwrite" and "xp_regdeletekey") to change the following system registry keys on the above-mentioned server:

  [HKLM\Software\Microsoft\Jet\4.0\Engines]
  "SandBoxMode"'
  
  [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
  Image File Execution Options]
  
  [HKLM\Software\Microsoft\Command Processor]
  "AutoRun"
  

• Download files from a server specified by the malicious user and launch them for execution.
• Upload files to a server specified by the malicious user.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Delete the files downloaded by the Trojan.
4. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: ED92A9F7D48D3FBDA17F8ADCFE282D34
SHA1: BC5C19E8F58DE97B18B3DB482D9661B464C78B8B