English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.cyzi

Detected Oct 12 2009 05:43 GMT
Released Oct 12 2009 10:50 GMT
Published Apr 29 2011 10:39 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file). It is 13 824 bytes in size. It is packed using UPX. The unpacked file is approximately 24 KB in size. It is written in C++.

Installation

Once launched, the Trojan performs the following actions:

  • It copies its body to the files:
    %Program Files%\360rpv.exe
    %Program Files%\syslass.cpl
    
  • It extracts a file from its body and saves it in the system as:
    %System%\svcnet32.dll (13 312 bytes; will be detected by Kaspersky Anti-Virus 
    as "Trojan.Win32.Agent.cyzi")
    The creation/modification date and time of the file created are set to be identical to the system file:
    %System%\ntdll.dll
  • "Hidden", "system" and "read only" attributes are assigned to the files that are created. At the same time, the "hidden" attribute is assigned to the original Trojan file.
  • It creates a service with the following parameters: - Name: "Avt-Net";
    - Name displayed in applications: "Portable Sound Serial Number Services";
    - Executable file:
    %SystemRoot%\system32\svchost -k Avt-Net
  • It creates the following system registry keys:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    "Avt-Net" = "Avt-Net"
    
    [HKLM\System\CurrentControlSet\Services\Avt-Net]
    "Description" = "Retrieves the serial number of any portable Sound player connected to this computer.
    If this service is stopped, any services that explicitly depend on it will fail to start." "DisplayName" = "Portable Sound Serial Number Services" "ErrorControl" = "0x1" "Group" = "Com Infrastructure" "ObjectName" = "LocalSystem" "Start" = "0x2" "Type" = "0x10" "FailureAction" = "00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 60 EA 00 00" "ImagePath" = "%SystemRoot%\system32\svchost -k Avt-Net" [HKLM\system\CurrentControlSet\Services\Avt-Net\Parameters] "ServiceDll" = "%SystemRoot%\system32\svcnet32.dll"
    Thus, this ensures that the malicious code extracted earlier from the library "svcnet32.dll" will be launched automatically each time the system is started.
  • Hides protected system files, hidden files and folders, as well as extensions for exe files by changing the values of the following system registry keys:
    [HKCR\exefile]
    "NeverShowExt" = "0x0"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" = "0x2"
    "ShowSuperHidden" = "0x0"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue" = "0x1"
    
  • It launches the previously-created service "Avt-Net".
  • To delete its original file after completing its tasks, it launches the system command interpreter "CMD.EXE" with the following parameters:
    /c del <complete path to original Trojan file> > nul

The Trojan then ceases running.


Payload

The launch of the "Avt-Net" service created at the installation stage executes the following actions:

  • To ensure that the process of the malware is unique within the system, a unique identifier is created, which is named "_u_hook":
  • A hook procedure is implemented, allowing the malware to track messages in the system queue until they are sent to the corresponding window event. The malware tries to prevent the deletion of the file by using the installed hooks:
    %Program Files%\360rpv.exe
    If deletion is successful, the file is restored from the copy:
    %Program Files%\syslass.cpl
  • Modification of the system registry keys is prevented because they are created in cyclical form:
    [HKCR\exefile]
    "NeverShowExt" = "0x0"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" = "0x2"
    "ShowSuperHidden" = "0x0"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue" = "0x1"
    
  • In an infinite cycle at an interval of every 10 seconds it downloads files from the Internet from the following links:
    http://me***ager.xicp.net:99/index.txt
    http://www.mi***ryfocus.net:99/index.txt
    
    and they are saved as
    %Program Files%\Common Files\Plugins\index.txt
    The downloaded files contain lists of links to download other malicious programs to the infected computer. The malware then downloads files from the links indicated and saves them to the current user's temporary directory "%Temp%" under random names. Once downloaded, the files are launched for execution. At the time of writing, both of the links indicated were inactive. After each iteration of the download cycle, the downloaded files are deleted from the cache by calling the function "DeleteUrlCacheEntry".

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the system registry keys (What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
    "Avt-Net" = "Avt-Net"
    
    [HKLM\System\CurrentControlSet\Services\Avt-Net]
    "Description" = "Retrieves the serial number of any portable Sound player connected to this computer. 
    If this service is stopped, any services that explicitly depend on it will fail to start." "DisplayName" = "Portable Sound Serial Number Services" "ErrorControl" = "0x1" "Group" = "Com Infrastructure" "ObjectName" = "LocalSystem" "Start" = "0x2" "Type" = "0x10" "FailureAction" = "00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 60 EA 00 00" "ImagePath" = "%SystemRoot%\system32\svchost -k Avt-Net" [HKLM\system\CurrentControlSet\Services\Avt-Net\Parameters] "ServiceDll" = "%SystemRoot%\system32\svcnet32.dll"
  2. Reboot the computer.
  3. Delete the following files:
    %Program Files%\360rpv.exe
    %Program Files%\syslass.cpl
    %System%\svcnet32.dll 
    %Program Files%\Common Files\Plugins\index.txt
    
  4. Restore the original system registry key values (What is a system registry and how do I use it?):
    [HKCR\exefile]
    "NeverShowExt"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" 
    "ShowSuperHidden"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue"
    
  5. Delete the files downloaded by the Trojan in the "%Temp%" folder.
  6. Empty the Temporary Internet Files folder, which may contain infected files (How to delete infected files from Temporary Internet Files folder?).
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: DBE78ACBE7E384DAF5739DA7BFECFD67

SHA1: B0F05574F6970D0B2DD0E0FF86D2F1FCC683A7C1


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.cyzi (Kaspersky Lab) is also known as:

  • Mal/Generic-L (Sophos)
  • Trojan.Agent-148313 (ClamAV)
  • W32/Bongler-based!Maximus (FPROT)
  • Trojan.Siggen.446 (DrWeb)
  • Win32/TrojanDownloader.Agent.QKR trojan (Nod32)
  • Dropped:Trojan.Generic.IS.433864 (BitDef7)
  • processing error (VirusBuster)
  • Backdoor.Win32.Torr (Ikarus)
  • SHeur2.ATDB (AVG)
  • TR/Agent.cyzi (AVIRA)
  • W32.Stration@mm (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Win32.Nodef.xne (Rising)
  • TROJ_DROPR.SMS (TrendMicro)
  • Trojan.Agent!zEmfN9gfZlE (VirusBusterBeta)