Trojan-Downloader.Win32.Agent.ahoe

Technical Details

This Trojan downloads another malicious program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 9216 bytes in size. It is packed using UPX. The unpacked file is approximately 38KB in size. It is written in C++.

Payload

The Trojan downloads files from the following URLs:

http://*****fdujt.info/?44ffa2
http://*****fdujt.info/i.php
http://*****fdujt.info/myh.php

At the time of writing, these links were not working.

The files will be saved to the current user’s Windows temporary directory with random names.

The Trojan then sends a request to the following address:

http://195.24.77.***/utest/?*****74&oo=2&75f2d3=33985db&ra=0

If the server does not respond, the Trojan will repeat the attempt after six minutes.

The Trojan also creates a unique identifier, “S_SERV_v0.66_Beta_erf” to flag its presence in the system.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
2. Delete all files from %Temporary Internet Files%.
3. Empty the temporary directory (%Temp%).
4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).