English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.azsy

Detected Dec 25 2008 00:13 GMT
Released Dec 25 2008 04:37 GMT
Published Mar 12 2009 15:29 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++.

Installation

Once launched, the Trojan copies its body to the current user’s Windows startup directory:

%Documents and Settings%\<user_name>\Main Menu\Programs\Startup\uninstall.exe

Payload

Once the victim machine has been rebooted, the Trojan extracts a file from itself. The file will have one of the names shown below:

%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe

This file is 404992 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Agent.aoth.

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan places a link to the file it extracted from its body in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"

<rnd1> is a name chosen from the list below:

CrashDump
EventLog
Init
lsass
Regscan
RunDll
Setup
Sound
svchosts
System
TaskMon
UPNP
Windows

<rnd> is the path to the file extracted from the Trojan shown in the list above.

Once the Trojan had delivered its payload, it will delete both its body and its copy "%Documents and Settings%\\Main Menu\Programs\Startup\uninstall.exe".

This Trojan will not run on Russian versions of Windows.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the following system registrykey:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd1>" = "<rnd2>"
  3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  4. Delete the following files:
    %Documents and Settings%\<user_name>\Application Data\svchosts.exe
    %Documents and Settings%\<user_name>\Application Data\taskmon.exe
    %Documents and Settings%\<user_name>\Application Data\rundll.exe
    %Documents and Settings%\<user_name>\Application Data\service.exe
    %Documents and Settings%\<user_name>\Application Data\sound.exe
    %Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
    %Documents and Settings%\<user_name>\Application Data\lsas.exe
    %Documents and Settings%\<user_name>\Application Data\logon.exe
    %Documents and Settings%\<user_name>\Application Data\helper.exe
    %Documents and Settings%\<user_name>\Application Data\event.exe
    %Documents and Settings%\<user_name>\Application Data\dumpreport.exe
    %Documents and Settings%\<user_name>\Application Data\msiexeca.exe
  5. Delete all files from %Temporary Internet Files%.
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.azsy (Kaspersky Lab) is also known as:

  • Trojan: Rscan (McAfee)
  • Troj/Agent-IFD (Sophos)
  • Trojan.Agent-81047 (ClamAV)
  • Trj/Ilomo.A (Panda)
  • Trj/Downloader.MDW (Panda)
  • W32/Trojan3.KH (FPROT)
  • W32/Trojan2.GIYW (FPROT)
  • TrojanDropper:Win32/Ilomo.B (MS(OneCare))
  • Trojan.Siggen.26713 (DrWeb)
  • Win32/TrojanDropper.Agent.NXV trojan (Nod32)
  • Trojan.Generic.1161916 (BitDef7)
  • Trojan.Clampi.A (BitDef7)
  • Trojan.Agent.HHHD (VirusBuster)
  • Trojan.Agent.KEGZ (VirusBuster)
  • Win32:Trojan-gen (AVAST)
  • Backdoor.Win32.Afcore (Ikarus)
  • Dropper.Small.ada (AVG)
  • Agent.AYVR (AVG)
  • TR/Agent.ifd.14.A (AVIRA)
  • TR/Agent.ifd.14.B (AVIRA)
  • Trojan.Clampi (NAV)
  • W32/Agent.LYKW (Norman)
  • Suspicious_Gen2.DQJI (Norman)
  • Rscan (NAI)
  • Trojan.Win32.Agent.azsy [AVP] (FSecure)
  • TROJ_DROPPER.PM (TrendMicro)
  • TROJ_CLAMPI.W (TrendMicro)
  • Trojan.Win32.Generic!BT (Sunbelt)