Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.aiad
Trojan-Dropper.Win32.Agent.aiad
| Detected | Feb 26 2009 18:52 GMT |
| Released | Feb 26 2009 23:24 GMT |
| Published | Oct 25 2010 09:39 GMT |
Payload
Removal instructions
Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 33 400 bytes in size. It is packed using UPX. The unpacked file is approximately 73 KB in size. It is written in Delphi.
Payload
Once launched, the Trojan performs the following actions:
- It deletes the following file:
%Program Files%\Internet Explorer\JavaNe64.Bet
- It copies its body to a file:
%Program Files%\Internet Explorer\JavaNe64.Bet
The first 2 bytes of the file are replaced with4B 4F
- It extracts a file from its body and saves it under the following name:
%Program Files%\Internet Explorer\BoboChen.jsp
(50 296 bytes; detected by Kaspersky Anti-Virus as "Worm.Win32.AutoRun.aazu") The file is created with the "hidden" and "system" attributes.The extracted library contains functionality that enables the malicious user to hijack accounts of the Chinese Tencent QQ instant messaging service.
- It launches its original file with the "Z" parameter. In addition to the above-mentioned actions, it creates in the system a window called "Jsxtxut" (window class: "Button"). Messages sent to the created window are processed using the "MgHookOp" and "MgHookCs" functions from the previously extracted library.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
%Program Files%\Internet Explorer\JavaNe64.Bet %Program Files%\Internet Explorer\BoboChen.jsp
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: 4DA4FC0A5FB8A56792FC45376EB63499
SHA1: F25E622929AE4C77C234CFF0C15E81C09C4880A2
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Trojan:
PWS-OnlineGames. e (McAfee) - Troj/QQPass-Gen (Sophos)
- Heuristic.
WinPE-Statistical (Panda) - W32/AutoRun.
D. gen!Eldorado (FPROT) - Trojan.
PWS. Lineage. origin (DrWeb) - Trojan.
PWS. Lineage. 6464 (DrWeb) - a variant of Win32/PSW.
Delf. NLZ trojan (Nod32) - Trojan.
OnlineGames. Gen. 65 (VirusBuster) - PSW.
Delf. DAP (AVG) - TR/ATRAPS.
Gen (AVIRA) - Infostealer (NAV)
- SandBox found 'W32/Malware'.
Infection details: [ General information ] (Norman) - Trojan.
PSW. Win32. QQPass. eal (Rising) - Trojan-Dropper.
Win32. Agent. aiad [AVP] (FSecure) - Mal_Qqhook (TrendMicro)
- Trojan.
OnlineGames. Gen. 65 (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.