Trojan.Win32.Agent2.dmvt

Technical Details
Payload
Removal instructions

Technical Details

A trojan program designed to steal the user's authentication data. It is a Windows application (PE-EXE file). 6144 bytes. UPX packed. Unpacked size – around 12 kB. Written in C++.

Payload

After launching, the trojan checks for the following branch in the system registry:

[HKCU\Software\Classes\CLSID\{82404416-4C60-47F8-BA06-90BA7261C3AE}\InprocServer32]

If the branch is missing, it performs the following actions:

• the body of the trojan is copied to the current user's temporary file directory:

  %Temp%\Procmon.exe

• The copy created is launched with the "loop" parameter.

When launching with the "loop" parameter, the trojan completes the processes with the "duospeak" substring in the names of their executable files. It then creates and launches the shell script "c:\test.bat" with the following content:

:try
del "<full path to the original trojan file>""
 if exist "<full path to the original trojan file>" goto try
 del %0

which results in the deletion of the original trojan file after it shuts down. The script is also deleted.

If this system registry branch is found, the trojan carries out the following actions:

• it reads the key value:

  [HKCU\Software\Classes\CLSID\{82404416-4C60-47F8-BA06-90BA7261C3AE}\InprocServer32]
  "default"
  

  This key saves the string containing the path to a DLL file.
• It deletes the following file:

  <Path>\YYCtrl.dll

  The <Path> is made up of the previously read strings by deleting the last 14 symbols.
• It retrieves the following file from its body:

  <Path>\YYCtrl.dll

  (4608 bytes; detected by Kaspersky Antivirus as "Trojan.Win32.Agent2.dmuw") The file is created with the "hidden" attribute.
• It modifies the library

  <Path>\msvcr71.dll

  writing the previously extracted library into the code loaded for a particular process. The malicious library "YYCtrl.dll" is therefore entered into the address space for all of the loaded "msvcr71.dll" processes.
• It creates and runs the previously described "c:\test.bat" script, and then shuts down.

Having loaded the "duospeak.exe" process into the address space, the "YYCtrl.dll" library allows for the information entered by the user in the following window classes to be tracked:

YYMainWnd
YYLogin
Edit

The data collected is sent to the server in HTTP-requests:

124.***.56.12
121.***.13.22

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

1. Using Task Manager, end the "duospeak.exe" process.
2. Delete the following files:

   %Temp%\Procmon.exe
   <Path>\YYCtrl.dll
   

3. Restore the original file contents:

   <Path>\msvcr71.dll

4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: 7ACC4753C7A39E0F3E70C46DFCEF7E28
SHA1: 3DA90B2175444CC8DC10375C83B3D414A69F21BC

Summary

• Trojan-Dropper. Hidden installation of other malicious programs in the system

• Performs potentially dangerous activity

Technical details

File size of 6144 bytes.

Installation

Makes copies of itself with the following names once launched:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\Procmon.exe

Malicious activity

Creates the following files:

• c:\test.bat

Launches files shown below for execution:

• c:\test.bat

Other activities

Runs the following files (commands):

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\Procmon.exe