English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.vk

Detected Sep 15 2006 09:41 GMT
Released Jun 28 2008 16:09 GMT
Published Sep 15 2006 09:41 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan modifies the system configuration. The Trojan itself is a Windows PE EXE file 8704 bytes in size


Payload

When launching, the Trojan creates a file with a random name composed of numbers and a BAT extension in the Windows temporary directory. This file will be launched for execution, then deleted, and the Trojan will cease running.

When launched, this packed file creates a system registry configuration file called c:\reg.reg. The configuration from this file will be transferred to the system registry, and the file will then be deleted.

These modifications to the system registry will cause the following message to be displayed every time the victim system is started:

The Internet Explorer home page will be altered to http://www.playboy.com/. Additionally, the function of the left and right mouse keys will be swapped, and the speed at which the computer reacts to a double click on the mouse and to keys being depressed will be altered.


Removal instructions

  1. Delete the original Trojan file (its location will depend on how it initially penetrated the victim machine).
  2. Configure mouse and keyboard parameters.
  3. Delete the following registry values:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
     "LegalNoticeCaption"="YoU HaVe BeeN HacKeD"
     "LegalNoticeText"="Please contact 1-800-784-2433"
  4. Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.vk (Kaspersky Lab) is also known as:

  • Trojan: Generic PWS.m (McAfee)
  • Mal/ShSearch-A (Sophos)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Trojan.BBTS (FPROT)
  • TrojanDownloader:Win32/Agent.ADG (MS(OneCare))
  • Trojan.Collector (DrWeb)
  • Win32/Spy.Wesupder trojan (Nod32)
  • Trojan.Agent.AABR (BitDef7)
  • Win32:Agent-GRQ [Trj] (AVAST)
  • Trojan.Win32.Agent (Ikarus)
  • PSW.Generic4.PQA (AVG)
  • TR/Agent.AABR.3 (AVIRA)
  • Infostealer (NAV)
  • W32/Agent.DYOF (Norman)
  • Generic PWS.m (NAI)
  • TSPY_INFOSTEA.AW (PCCIL)
  • Trojan.Win32.Agent.vk (Rising)
  • TSPY_INFOSTEA.AW (TrendMicro)