Trojan-Downloader.Win32.Agent.tuc

Technical Details

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 26552 bytes in size. It is packed using UPX. The unpacked file is approximately 43KB in size. It is written in Delphi.

Payload

The Trojan displays the following message:

It also modifies the following system registry key parameter values:

• Prevents Task Manager from being launched in order to view processes, priority changes or the state of individual processes:
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr" = "1"
• Prevents Regedit.exe. or Regedt32.exe from being launched in order to edit the system registry:
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableRegistryTools" = "1"
• Disables the Run shortcut in the Start menu, and also the <WIN>+<R> key combination:
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NoRun" = "1"
• Prevents the computer from being shut down by choosing Shut Down from the Start menu, or by pressing Ctrl+Shift+Del:

Stops services listed below:

The Trojan sends a request to download a file from one of the addresses shown below which belong to the malicious user:

The file will be saved as "index.html " to the following directory:

At the time of writing, the Trojan reads the following URLs from the downloaded file in order to download further files:

These files will be saved as follows:

The Trojan then extracts the files shown below from the files it downloaded and saved, and saves them to the current user's Windows temporary directory:

This file is 10240 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Pakes.kxv.

This file is 85960 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.bfr.

This file is 291776 bytes in size.

This file is 44032 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Delf.fdx.

This file is 419731 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Agent.agih.

This file is 45063 bytes in size. It will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.ZenoSearch.o.

The saved files are then launched for execution.

The Trojan then creates a command interpreter file called "updq.bat" in the same directory:

It writes code to delete the body of the Trojan and the "%WinDir%Web Download" directory to this file.

When it has delivered its payload, the Trojan launches "%Temp%\upd1.bat" for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the following system registry key parameter values:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableTaskMgr" = "1"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableRegistryTools" = "1"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoRun" = "1"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NoClose" = "1"
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Empty the temporary directory (%Temp%).
5. Delete all files from %Temporary Internet Files%.
6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).