English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.bve

Detected Oct 04 2007 20:36 GMT
Released Oct 04 2007 20:36 GMT
Published Oct 03 2008 06:48 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan has a malicious payload. The program itself is a Windows PE DLL file. It is approximately 100KB in size.

Installation

The Trojan copies its executable file to the Windows system directory:

%System%\mstmdm.dll

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

[HKLM\Software\Classes\CLSID\{E4D629C3-78D3-4597-AE36-CC394E39F934}\InprocServer32]
"default" = "%System%\mstmdm.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UpdateCheck" = {E4D629C3-78D3-4597-AE36-CC394E39F934}

Payload

The Trojan also creates the following registry key, and save its configuration to this key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg]

The Trojan also creates the following files:

%WinDir%\1.txt
%System%\__1.dat
%WinDir%\system32\mswmpdat.tlb
%WinDir%\system32\winview.ocx

The Trojan gets network configuration via the following link:

http://livenews.*****.cx/update

It then modifies the DNS addresses of the current active connection to those it received from the network.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter values:
    [HKLM\Software\Classes\CLSID\{E4D629C3-78D3-4597-AE36-CC394E39F934}\InprocServer32]
    "default" = "%System%\mstmdm.dll"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "UpdateCheck" = {E4D629C3-78D3-4597-AE36-CC394E39F934}
  4. Delete the following registry key:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg]
  5. Delete the following files:
    %WinDir%\1.txt
    %System%\__1.dat
    %WinDir%\system32\mswmpdat.tlb
    %WinDir%\system32\winview.ocx
    %System%\mstmdm.dll
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.bve (Kaspersky Lab) is also known as:

  • Virus: W32/Autorun.worm.q (McAfee)
  • Mal/Generic-L (Sophos)
  • Worm.Autorun-1851 (ClamAV)
  • Trj/Agent.GUQ (Panda)
  • W32/Worm.BBEH (FPROT)
  • Trojan:Win32/Remdruk.A (MS(OneCare))
  • Win32.HLLW.Autoruner.280 (DrWeb)
  • Win32/AutoRun.AD worm (Nod32)
  • Trojan.Generic.1403634 (BitDef7)
  • Worm.Autorun.Gen.13 (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Virus.Win32.AutoRun.sd (Ikarus)
  • Worm/AutoRun.BB (AVG)
  • TR/Agent.98304E (AVIRA)
  • Trojan.Minit (NAV)
  • W32/Malware.AIZI (Norman)
  • Worm.Win32.AutoRun.j (Rising)
  • Trojan.Win32.Agent.bve [AVP] (FSecure)
  • Worm.Autorun.Gen.13 (VirusBusterBeta)