English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.dcc

Detected Dec 01 2007 21:51 GMT
Released Dec 01 2007 21:51 GMT
Published May 16 2008 11:17 GMT

Technical Details
Payload
Removal instructions

Technical Details

Installation

Once launched, the Trojan copies its executable file as shown below:

%System%\drivers\runtime.sys

In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:

[HKLM\System\CurrentControlSet\Services\runtime]

Once installed, the Trojan deletes its original file.

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.


Payload

The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:

%System%\ntoskrnl.exe
%System%\ntkrnlpa.exe
%System%\ntkrnlmp.exe
%System%\ntkrpamp.exe

It also masks the presence of processes related to these files.

The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:

208.66.194.***
66.246.252.***
208.66.195.***
74.53.42.***
74.53.42.***

Downloaded files will be saved as:

%TEMP%\<rnd>.exe

with <rnd> standing for a random sequence of numbers.

Once downloaded, the files will be launched for execution.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the following system registrykey:
    [HKLM\System\CurrentControlSet\Services\runtime]
  3. Delete the following file:
    %System%\drivers\runtime.sys
  4. Delete the contents of %Temp%
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.dcc (Kaspersky Lab) is also known as:

  • Trojan: Generic Dropper!ddn (McAfee)
  • Troj/Pushdo-Gen (Sophos)
  • Trojan.Agent-11159 (ClamAV)
  • Trj/Spammer.ADX (Panda)
  • W32/Trojan2.SXI (FPROT)
  • TrojanDropper:Win32/Cutwail.R (MS(OneCare))
  • BackDoor.Bulknet.98 (DrWeb)
  • Win32/Wigon.OD trojan (Nod32)
  • Trojan.Kobcka.BC (BitDef7)
  • Trojan.DR.Pandex.Gen!Pac.3 (VirusBuster)
  • Win32:Agent-PCR [Trj] (AVAST)
  • Trojan.Win32.Agent (Ikarus)
  • Downloader.Agent.14.C (AVG)
  • TR/Dropper.Gen (AVIRA)
  • Trojan.Pandex (NAV)
  • W32/Agent.DLNS (Norman)
  • Trojan.Win32.Undef.agl (Rising)
  • Trojan.Win32.Agent.dcc [AVP] (FSecure)
  • TROJ_GEN.USE0UJ (TrendMicro)
  • Trojan.Win32.Generic!BT (Sunbelt)
  • Trojan.DR.Pandex.Gen!Pac.3 (VirusBusterBeta)