Internet threat level: 1
Home→Descriptions→Trojan.Win32.Agent.azsy
Trojan.Win32.Agent.azsy
| Detected | Dec 25 2008 00:13 GMT |
| Released | Dec 25 2008 04:37 GMT |
| Published | Mar 12 2009 15:29 GMT |
Payload
Removal instructions
Technical Details
This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++.
Installation
Once launched, the Trojan copies its body to the current user’s Windows startup directory:
Payload
Once the victim machine has been rebooted, the Trojan extracts a file from itself. The file will have one of the names shown below:
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe
This file is 404992 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Agent.aoth.
In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan places a link to the file it extracted from its body in the system registry:
"<rnd1>" = "<rnd2>"
<rnd1> is a name chosen from the list below:
CrashDump EventLog Init lsass Regscan RunDll Setup Sound svchosts System TaskMon UPNP Windows
<rnd> is the path to the file extracted from the Trojan shown in the list above.
Once the Trojan had delivered its payload, it will delete both its body and its copy "%Documents and Settings%\
This Trojan will not run on Russian versions of Windows.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the following system registrykey:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>" - Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe - Delete all files from %Temporary Internet Files%.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Trojan.
- Trojan:
Rscan (McAfee) - Troj/Agent-IFD (Sophos)
- Trojan.
Agent-81047 (ClamAV) - Trj/Ilomo.
A (Panda) - Trj/Downloader.
MDW (Panda) - W32/Trojan3.
KH (FPROT) - W32/Trojan2.
GIYW (FPROT) - TrojanDropper:
Win32/Ilomo. B (MS(OneCare)) - Trojan.
Siggen. 26713 (DrWeb) - Win32/TrojanDropper.
Agent. NXV trojan (Nod32) - Trojan.
Generic. 1161916 (BitDef7) - Trojan.
Clampi. A (BitDef7) - Trojan.
Agent. HHHD (VirusBuster) - Trojan.
Agent. KEGZ (VirusBuster) - Win32:
Trojan-gen (AVAST) - Backdoor.
Win32. Afcore (Ikarus) - Dropper.
Small. ada (AVG) - Agent.
AYVR (AVG) - TR/Agent.
ifd. 14. A (AVIRA) - TR/Agent.
ifd. 14. B (AVIRA) - Trojan.
Clampi (NAV) - W32/Agent.
LYKW (Norman) - Suspicious_Gen2.
DQJI (Norman) - Rscan (NAI)
- Trojan.
Win32. Agent. azsy [AVP] (FSecure) - TROJ_DROPPER.
PM (TrendMicro) - TROJ_CLAMPI.
W (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.