English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan.Win32.Agent2.dtb

Trojan.Win32.Agent2.dtb

Detected Feb 16 2009 22:09 GMT
Released Feb 17 2009 03:34 GMT
Published Mar 12 2009 15:23 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan calls premium rate numbers without the knowledge or consent of the user. It is a Windows PE EXE file. It is 25131 bytes in size. It is written in Delphi.


Payload

Once launched, the Trojan launches a copy of its own process and injects malicious code (detected by Kaspersky Anti-Virus as Trojan.Win32.Dialer.tvx) into this process.

This code will:

  1. Get accessible modem connections on the user’s computer;
  2. Download a file from the URL shown below:
    http://91.***.118.***/Dialer_Min/number.asp

This file is saved to the Windows directory as “number.txt”:

%WinDir%\number.txt

Parameters and phone numbers which will be used to make future calls are read from this file. The file will then be deleted.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete all files from %Temporary Internet Files%.
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions
Trojan.Win32.Agent2.ddnd
Trojan.Win32.Agent2.dmdi
Trojan.Win32.Agent2.dmuw
Trojan.Win32.Agent2.dmvt
Trojan.Win32.Agent2.lmu

Aliases

Trojan.Win32.Agent2.dtb (Kaspersky Lab) is also known as:

  • Trojan: Spam-Mailbot.l (McAfee)
  • Mal/DelfInj-B (Sophos)
  • Trojan.Agent-87162 (ClamAV)
  • Trj/Nabload.DLC (Panda)
  • W32/Trojan2.GHRQ (FPROT)
  • VirTool:Win32/DelfInject.gen!AF (MS(OneCare))
  • Dialer.Siggen.122 (DrWeb)
  • Win32/Dialer.NGR trojan (Nod32)
  • Dialer.Generic.47375 (BitDef7)
  • Trojan.Agent2.DLI (VirusBuster)
  • Win32:Delf-LWM [Drp] (AVAST)
  • Trojan-Dialer (Ikarus)
  • Dialer.OGP (AVG)
  • DR/Delphi.Gen (AVIRA)
  • Dialer.Generic (NAV)
  • W32/Banload.AQUM (Norman)
  • Trojan.Win32.Agent2.dtb [AVP] (FSecure)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search