Trojan-Dropper.Win32.Agent.ezqm

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE-EXE file). 231124 bytes. Written in C++.

Payload

After launching, the trojan searches for the launched process named:

Garss.exe

If this process has been launched, the trojan terminates its implementation. The trojan then retrieves the file saved in the temporary file directory under the following name from its body:

%Temp%\<rnd>_res.tmp

where rnd is a random digital sequence. It then moves this file and saves it under the following name:

%Documents and Settings%\QQCRT.DLL

The file is 22154588 bytes and is detected by Kaspersky Antivirus as Trojan-GameThief.Win32.Magania.erpe. The trojan also moves the system file:

%System%\rundll32.exe

to

C: \Program Files\Garss.exe

Then, using the command line, it launches the malicious library for execution:

C:\Program Files\Garss.exe "C:\Documents and Settings\QQCRT.DLL" Main

To start up the malicious library, the trojan modifies the "BITS" system service. The trojan therefore creates and launches a system registry file under the following name:

C:\1.reg

after which the following information is added to the system registry:

[HKLM\System\CurrentControlSet\Services\BITS]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
"DisplayName"="Background Intelligent Transfer Service (BITS)"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"DependOnGroup"=hex(7):00
"ObjectName"="LocalSystem"
"Description"="Ensures the transfer of data between clients and severs in the background. If the BITS service is disabled, options such as Windows Update will not work properly."
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00

[HKLM\System\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"="%Documents and Settings%\QQCRT.DLL"

After launching, the "1.reg" file is deleted. The trojan also searches for the following antivirus processes:

RsTray.exe
360tray.exe

and runs active resistance to anti-virus applications in separate strings. The trojan may also copy its executable file under the following name:

C:\Program Files\QQ.EXE

It creates a file entitled:

C:\LoadLibrary.exe

which may also be moved by the trojan and saved under the following name:

%Documents and Settings%\%Current User%\Main menu\X.exe

The file is 36752 bytes. The trojan uses this file to launch the malicious library. It retrieves the following certificate from its body and installs this:

%WinDir%\Windows.cer – which is 590 bytes.

After its implementation, the trojan deletes itself.

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

1. Stop running the "BITS" service.
2. Delete the following file:

   %Documents and Settings%\QQCRT.DLL

3. Restore the "ServiceDll" parameter value for the system registry key:

   [HKLM\System\CurrentControlSet\Services\BITS\Parameters]
   "ServiceDll"="%Documents and Settings%\QQCRT.DLL"
   

   change to

   [HKLM\System\CurrentControlSet\Services\BITS\Parameters]
   "ServiceDll" = "%SystemRoot%\System32\qmgr.dll"
   

4. Restore the "BITS" service.
5. Delete the following files:

   C:\Program Files\QQ.EXE
   C:\LoadLibrary.exe
   %Documents and Settings%\%Current User%\Main menu\X.exe
   %WinDir%\Windows.cer
   

6. Rename the file:

   C: \Program Files\Garss.exe

   to

   %System%\rundll32.exe

7. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: b8ae1e3ce04afa9d7aa1752b9e93641b
SHA1: 03af00527ff7710b978ed32a81250d29fcbeead2

Summary

• Trojan-Dropper. Hidden installation of other malicious programs in the system

• Performs potentially dangerous activity

Technical details

File size of 231124 bytes.

Installation

Makes copies of itself with the following names once launched:

• Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\QQ.EXE

Creates the following files on an infected computer:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\131468_res.tmp (­Kaspersky Anti-Virus detects as­ Trojan-GameThief.Win32.Magania.erpe)
• Directory of users' settings%Documents and Settings%\QQCRT.DLL (­Kaspersky Anti-Virus detects as­ Trojan-GameThief.Win32.Magania.erpe)
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\163312_res.tmp
• C:\LoadLibrary.exe
• Windows directory (usually, C:\Windows)%Windir%\Windows.cer
• Current user directory (usually, C:\Documents and Settings\) %UserDir%\Start Menu\X.exe

Malicious activity

Creates the following files:

• Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Garss.exe

Launches files shown below for execution:

• Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Garss.exe

Other activities

Runs the following files (commands):

• Windows system directory (usually, C:\Windows\System32) %System%\rundll32.exe cryptext.dll,CryptExtAddCER Windows directory (usually, C:\Windows)%Windir%\Windows.cer

Searches for the following windows:

Class:	#32770
Title	­­

Deletes the following files on an infected computer:

• <­path to source program­><­file of source program ­>
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\131468_res.tmp
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\163312_res.tmp
• C:\LoadLibrary.exe