Trojan-Dropper.Win32.Agent.dcbd

Technical Details
Payload
Removal instructions

Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 70 656 bytes in size. It is written in C++.

Payload

Once launched, the Trojan performs the following actions:

• It extracts files from its body and saves them in the system as:

  %System%\<rnd1>.dll

  (56 320 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Agent.eiyv") This library exports the function "Execute", which is designed to block antivirus programs such as the following on the infected system:

  McAfee
  RAV AntiVirus
  ESET NOD32
  

  It blocks them by stopping their respective services, deleting system registry keys, and terminating the processes of certain libraries in the address space.

  %System%\<rnd2>.dll

  (8704 bytes; detected by kaspersky Anti-Virus as "Trojan-Downloader.Win32.Agent.dxqs")

  The library exports the "Execute" function, which downloads files from the Internet. The downloaded files are saved in the "%Temp%" directory. When this function is performed, the following system registry autorun key is created in a separate thread in an endless cycle:

  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  "system" = "%System%\system.exe"
  

  This ensures that "%System%\system.exe" is launched automatically each time the system is restarted.

  where <rnd1> and <rnd2> are random strings of letters (for example: "ugkreaca" and "xonbecca").

• It launches the system utility "rundll32.exe" with the following parameters:

  %System%\<rnd1>.dll Execute
  %System%\<rnd2>.dll Execute
  

  This way, functions named "Execute" are called from the extracted libraries.
• It moves its body to the file:

  %System%\system.exe

The Trojan then ceases running.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the following files:

   %System%\<rnd1>.dll 
   %System%\<rnd2>.dll 
   %System%\system.exe
   

2. Reboot the computer or terminate the process containing the Trojan library in its address space.
3. Delete the following system registry key (see What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "system" = "%System%\system.exe"
   

4. Delete the files downloaded by the Trojan in the "%Temp%" folder.
5. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: BB03D3B06ADDCA203E44511C49D4BD7C
SHA1: D755E91488D689A60D9CB6EA5BFBB4B610F4EE8F