Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.akap
Trojan-Dropper.Win32.Agent.akap
| Detected | Jan 15 2010 19:34 GMT |
| Released | Jan 20 2010 17:07 GMT |
| Published | Oct 26 2010 08:51 GMT |
Payload
Removal instructions
Technical Details
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 21 580 bytes in size. It is packed using PE_Patch or UPack. The unpacked file is approximately 283 KB in size. It is written in C++.
Payload
Once launched, the Trojan creates a unique identifier to ensure that its process is unique in the system:
__NBA_MUTEX_0__Also, the following directory is created in the root directory of the C drive:
C:\<rnd>where <rnd> is an eight-digit hexadecimal number generated on the basis of the current system time.
The directory is created with the "hidden" and "system" attributes.
If the Trojan detects the driver called "ProtectedC.sys", it extracts the following files from its body:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\human.exe(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.yaa")
\\.\Root#RCVYL#0000#KsecDD\%System%\mmc.exe(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.yaa")
\\.\Root#RCVYL#0000#KsecDD\%System%\user32.dll(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Patched.dz")
\\.\Root#RCVYL#0000#KsecDD\%System%\winhlp32.exe(4096 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.xxg")
If the "hintFD.sys" driver is present in the system, the Trojan performs the following actions:
- It extracts the library from its body and saves it as:
C:\<rnd>\<rnd>.dll
(4608 bytes; detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.yki") - It calls the "HookEnter" function from the extracted library.
- It extracts the following files from its body:
\\.\HintZ0\%System%\mmc.exe \\.\HintZ0\%System%\user32.dll \\.\HintZ0\%System%\winhlp32.exe \\.\HintZ3\%System%\mmc.exe \\.\HintZ3\%System%\user32.dll \\.\HintZ3\%System%\winhlp32.exe
These files are the same as those described above. - It calls the "HookLeave" function from the extracted "<rnd>.dll" library and deletes this library. The Trojan also performs the following actions:
- It terminates the "Beep" system service and substitutes its binary file:
%System%\drivers\beep.sys
with the file it extracted from its own body. The file is 13 696 bytes in size. It is detected by Kaspersky Anti-Virus as "Trojan-Downloader.Win32.Small.xxh". The Trojan then restarts this service. - It restores the original content of the file:
%System%\drivers\beep.sys
- It downloads a file from the Internet via the following link:
http://www.m***8.cn/new.txt (At the time of writing this link was inactive)
The file is saved in the system as:C:\<rnd>\<rnd>
It contains links used to download other malicious files to the infected computer. From these links, the Trojan downloads files and saves them to the directory "C:\<rnd>" under random names.Once successfully downloaded, the files will be launched for execution.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the directory "C:\<rnd>" and all of its contents.
- Delete files created by the Trojan:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\human.exe \\.\Root#RCVYL#0000#KsecDD\%System%\mmc.exe \\.\Root#RCVYL#0000#KsecDD\%System%\user32.dll \\.\Root#RCVYL#0000#KsecDD\%System%\winhlp32.exe \\.\HintZ0\%System%\mmc.exe \\.\HintZ0\%System%\user32.dll \\.\HintZ0\%System%\winhlp32.exe \\.\HintZ3\%System%\mmc.exe \\.\HintZ3\%System%\user32.dll \\.\HintZ3\%System%\winhlp32.exe
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: 1A9DCFBC6D7328A30D2EBB6B91D32356
SHA1: 0C9B608689F3FEF55E963B304895262391ED5432
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Mal/DwnLd-B (Sophos)
- Trojan.
Downloader-56895 (ClamAV) - W32/SuspPack.
C. gen!Eldorado (FPROT) - Trojan:
Win32/Glox. gen!damaged (MS(OneCare)) - Win32/Kryptik.
AE trojan (Nod32) - Trojan.
Generic. 475601 (BitDef7) - Packed/Upack (VirusBuster)
- Win32:
Trojan-gen (AVAST) - Backdoor.
Win32. Popwin (Ikarus) - Crypt.
OV (AVG) - TR/Dropper.
Gen (AVIRA) - W32/Packed_Upack.
A (Norman) - Packer.
Win32. Agent. bb [Suspicious] (Rising) - Trojan-Dropper.
Win32. Agent. akap [AVP] (FSecure) - TROJ_DLOADER.
VXA (TrendMicro) - Trojan.
Win32. Packer. Upack0. 3. 9 (v) (Sunbelt)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.