English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.daec

Detected Oct 25 2009 08:29 GMT
Released Oct 25 2009 12:40 GMT
Published Mar 25 2011 07:29 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 27 136 bytes in size. It is written in C++.

Installation

The Trojan copies its body to the Windows system directory as "oife.mro":

%System%\oife.mro
In order to ensure that it is launched automatically when the system is rebooted, the Trojan adds an entry to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe rundll32.exe oife.mro printer"


Payload

If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:

[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"Level" = "1"
"AccessVBOM" = "1"
It also executes a macro, through which the original body of the Trojan is launched for execution.

To ensure that its process is unique within the system, the Trojan creates a unique identifier:

3822222222e3d27b8e
Then, the Trojan creates a process named "svchost.exe" and injects its malicious code into the process's address space:
svchost.exe
The Trojan sends a request to the following address:
http://lio***g.org/t/scb.php
At the time of writing, this link was inactive.

In response, it receives a configuration file for its subsequent functionality. Links received from the configuration file for downloading other malicious files are saved by the Trojan in the following registry key:

[HKCR\idid]


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    %System%\oife.mro
  3. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%
  4. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKCR\idid]
  5. If necessary, restore the values of the "Level" and "AccessVBOM" parameters in the system registry key (see What is a system registry and how do I use it?):
    [HKCU\Software\Microsoft\Office\11.0\Word\Security]
    "Level"
    "AccessVBOM"
    
  6. Restore the value of the system registry key parameter to the following (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe"
    
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.daec (Kaspersky Lab) is also known as:

  • Trojan: BackDoor-EHH (McAfee)
  • Troj/Oficla-Gen (Sophos)
  • Trojan.Agent-131159 (ClamAV)
  • Trj/Downloader.MDW (Panda)
  • Trojan:Win32/Oficla.E (MS(OneCare))
  • Trojan.Advload.9 (DrWeb)
  • Win32/Oficla.AP trojan (Nod32)
  • Trojan.Generic.2707337 (BitDef7)
  • Win32:Oficla-D [Trj] (AVAST)
  • Backdoor.Bredavi (Ikarus)
  • Agent2.YLS (AVG)
  • TR/Agent.daec.4 (AVIRA)
  • Trojan Horse (NAV)
  • Trojan.Win32.Agent.daec [AVP] (FSecure)
  • TROJ_SASFIS.SMA (TrendMicro)