Internet threat level: 1
Watch us on
Home→Descriptions→Trojan.Win32.Agent.cyzi
Trojan.Win32.Agent.cyzi
| Detected | Oct 12 2009 05:43 GMT |
| Released | Oct 12 2009 10:50 GMT |
| Published | Apr 29 2011 10:39 GMT |
Technical Details
Payload
Removal instructions
Payload
Removal instructions
Technical Details
This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file). It is 13 824 bytes in size. It is packed using UPX. The unpacked file is approximately 24 KB in size. It is written in C++.
Installation
Once launched, the Trojan performs the following actions:
- It copies its body to the files:
%Program Files%\360rpv.exe %Program Files%\syslass.cpl
- It extracts a file from its body and saves it in the system as:
%System%\svcnet32.dll (13 312 bytes; will be detected by Kaspersky Anti-Virus
The creation/modification date and time of the file created are set to be identical to the system file:
as "Trojan.Win32.Agent.cyzi")%System%\ntdll.dll
- "Hidden", "system" and "read only" attributes are assigned to the files that are created. At the same time, the "hidden" attribute is assigned to the original Trojan file.
- It creates a service with the following parameters:
- Name: "Avt-Net";
- Name displayed in applications: "Portable Sound Serial Number Services";
- Executable file:
%SystemRoot%\system32\svchost -k Avt-Net
- It creates the following system registry keys:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost] "Avt-Net" = "Avt-Net" [HKLM\System\CurrentControlSet\Services\Avt-Net] "Description" = "Retrieves the serial number of any portable Sound player connected to this computer.
Thus, this ensures that the malicious code extracted earlier from the library "svcnet32.dll" will be launched automatically each time the system is started.
If this service is stopped, any services that explicitly depend on it will fail to start." "DisplayName" = "Portable Sound Serial Number Services" "ErrorControl" = "0x1" "Group" = "Com Infrastructure" "ObjectName" = "LocalSystem" "Start" = "0x2" "Type" = "0x10" "FailureAction" = "00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 60 EA 00 00" "ImagePath" = "%SystemRoot%\system32\svchost -k Avt-Net" [HKLM\system\CurrentControlSet\Services\Avt-Net\Parameters] "ServiceDll" = "%SystemRoot%\system32\svcnet32.dll" - Hides protected system files, hidden files and folders, as well as extensions for exe files by changing the values of the following system registry keys:
[HKCR\exefile] "NeverShowExt" = "0x0" [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "0x2" "ShowSuperHidden" = "0x0" [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = "0x1"
- It launches the previously-created service "Avt-Net".
- To delete its original file after completing its tasks, it launches the system command interpreter "CMD.EXE" with the following parameters:
/c del <complete path to original Trojan file> > nul
The Trojan then ceases running.
Payload
The launch of the "Avt-Net" service created at the installation stage executes the following actions:
- To ensure that the process of the malware is unique within the system, a unique identifier is created, which is named "_u_hook":
- A hook procedure is implemented, allowing the malware to track messages in the system queue until they are sent to the corresponding window event. The malware tries to prevent the deletion of the file by using the installed hooks:
%Program Files%\360rpv.exe
If deletion is successful, the file is restored from the copy:%Program Files%\syslass.cpl
- Modification of the system registry keys is prevented because they are created in cyclical form:
[HKCR\exefile] "NeverShowExt" = "0x0" [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = "0x2" "ShowSuperHidden" = "0x0" [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = "0x1"
- In an infinite cycle at an interval of every 10 seconds it downloads files from the Internet from the following links:
http://me***ager.xicp.net:99/index.txt http://www.mi***ryfocus.net:99/index.txt
and they are saved as%Program Files%\Common Files\Plugins\index.txt
The downloaded files contain lists of links to download other malicious programs to the infected computer. The malware then downloads files from the links indicated and saves them to the current user's temporary directory "%Temp%" under random names. Once downloaded, the files are launched for execution. At the time of writing, both of the links indicated were inactive. After each iteration of the download cycle, the downloaded files are deleted from the cache by calling the function "DeleteUrlCacheEntry".
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the system registry keys (What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost] "Avt-Net" = "Avt-Net" [HKLM\System\CurrentControlSet\Services\Avt-Net] "Description" = "Retrieves the serial number of any portable Sound player connected to this computer.
If this service is stopped, any services that explicitly depend on it will fail to start." "DisplayName" = "Portable Sound Serial Number Services" "ErrorControl" = "0x1" "Group" = "Com Infrastructure" "ObjectName" = "LocalSystem" "Start" = "0x2" "Type" = "0x10" "FailureAction" = "00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 60 EA 00 00" "ImagePath" = "%SystemRoot%\system32\svchost -k Avt-Net" [HKLM\system\CurrentControlSet\Services\Avt-Net\Parameters] "ServiceDll" = "%SystemRoot%\system32\svcnet32.dll" - Reboot the computer.
- Delete the following files:
%Program Files%\360rpv.exe %Program Files%\syslass.cpl %System%\svcnet32.dll %Program Files%\Common Files\Plugins\index.txt
- Restore the original system registry key values (What is a system registry and how do I use it?):
[HKCR\exefile] "NeverShowExt" [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" "ShowSuperHidden" [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue"
- Delete the files downloaded by the Trojan in the "%Temp%" folder.
- Empty the Temporary Internet Files folder, which may contain infected files (How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: DBE78ACBE7E384DAF5739DA7BFECFD67
SHA1: B0F05574F6970D0B2DD0E0FF86D2F1FCC683A7C1
Trojan
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Other versions
Aliases
Trojan.
- Mal/Generic-L (Sophos)
- Trojan.
Agent-148313 (ClamAV) - W32/Bongler-based!Maximus (FPROT)
- Trojan.
Siggen. 446 (DrWeb) - Win32/TrojanDownloader.
Agent. QKR trojan (Nod32) - Dropped:
Trojan. Generic. IS. 433864 (BitDef7) - processing error (VirusBuster)
- Backdoor.
Win32. Torr (Ikarus) - SHeur2.
ATDB (AVG) - TR/Agent.
cyzi (AVIRA) - W32.
Stration@mm (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Trojan.
Win32. Nodef. xne (Rising) - TROJ_DROPR.
SMS (TrendMicro) - Trojan.
Agent!zEmfN9gfZlE (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.