|Detected||Jun 28 2010 07:43 GMT|
|Released||Jun 28 2010 16:53 GMT|
|Published||Oct 25 2010 11:59 GMT|
This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 70 656 bytes in size. It is written in C++.
Once launched, the Trojan performs the following actions:
%System%\<rnd1>.dll(56 320 bytes; detected by Kaspersky Anti-Virus as "Trojan.Win32.Agent.eiyv") This library exports the function "Execute", which is designed to block antivirus programs such as the following on the infected system:
McAfee RAV AntiVirus ESET NOD32It blocks them by stopping their respective services, deleting system registry keys, and terminating the processes of certain libraries in the address space.
%System%\<rnd2>.dll(8704 bytes; detected by kaspersky Anti-Virus as "Trojan-Downloader.Win32.Agent.dxqs")
The library exports the "Execute" function, which downloads files from the Internet. The downloaded files are saved in the "%Temp%" directory. When this function is performed, the following system registry autorun key is created in a separate thread in an endless cycle:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "system" = "%System%\system.exe"This ensures that "%System%\system.exe" is launched automatically each time the system is restarted.
where <rnd1> and <rnd2> are random strings of letters (for example: "ugkreaca" and "xonbecca").
%System%\<rnd1>.dll Execute %System%\<rnd2>.dll ExecuteThis way, functions named "Execute" are called from the extracted libraries.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
%System%\<rnd1>.dll %System%\<rnd2>.dll %System%\system.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "system" = "%System%\system.exe"
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to: