Internet threat level: 1
Home→Descriptions→Trojan.Win32.Agent.dcc
Trojan.Win32.Agent.dcc
| Detected | Dec 01 2007 21:51 GMT |
| Released | Dec 01 2007 21:51 GMT |
| Published | May 16 2008 11:17 GMT |
Payload
Removal instructions
Technical Details
Installation
Once launched, the Trojan copies its executable file as shown below:
In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:
Once installed, the Trojan deletes its original file.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.
Payload
The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:
%System%\ntkrnlpa.exe
%System%\ntkrnlmp.exe
%System%\ntkrpamp.exe
It also masks the presence of processes related to these files.
The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:
66.246.252.***
208.66.195.***
74.53.42.***
74.53.42.***
Downloaded files will be saved as:
with <rnd> standing for a random sequence of numbers.
Once downloaded, the files will be launched for execution.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the malicious program’s process.
- Delete the following system registrykey:
[HKLM\System\CurrentControlSet\Services\runtime]
- Delete the following file:
%System%\drivers\runtime.sys
- Delete the contents of %Temp%
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Trojan.
- Trojan:
Generic Dropper!ddn (McAfee) - Troj/Pushdo-Gen (Sophos)
- Trojan.
Agent-11159 (ClamAV) - Trj/Spammer.
ADX (Panda) - W32/Trojan2.
SXI (FPROT) - TrojanDropper:
Win32/Cutwail. R (MS(OneCare)) - BackDoor.
Bulknet. 98 (DrWeb) - Win32/Wigon.
OD trojan (Nod32) - Trojan.
Kobcka. BC (BitDef7) - Trojan.
DR. Pandex. Gen!Pac. 3 (VirusBuster) - Win32:
Agent-PCR [Trj] (AVAST) - Trojan.
Win32. Agent (Ikarus) - Downloader.
Agent. 14. C (AVG) - TR/Dropper.
Gen (AVIRA) - Trojan.
Pandex (NAV) - W32/Agent.
DLNS (Norman) - Trojan.
Win32. Undef. agl (Rising) - Trojan.
Win32. Agent. dcc [AVP] (FSecure) - TROJ_GEN.
USE0UJ (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - Trojan.
DR. Pandex. Gen!Pac. 3 (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.