The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Aug 24 2010 08:47 GMT
Released Aug 24 2010 14:59 GMT
Published Mar 16 2011 10:22 GMT

Technical Details
Removal instructions

Technical Details

This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 53 760 bytes in size. It is written in Delphi.


Once launched, the Trojan copies its body to the following file:

At the same time, this system registry key is created:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\userinit.exe]
"Debugger" = "winr.exe"
Thereby, the Trojan will be launched as a debugger each time the process "userinit.exe" starts.

The original Trojan file from the installation stage is deleted.


To ensure that its process is unique within the system, the Trojan creates a unique ID with the name "6A57BEED". After this, to check for a connection to the Internet, it initiates a connection to the site:

If there is a connection, the Trojan connects to the hosts:
Other malicious programs may be downloaded from these hosts to the infected computer. At the time of writing, these servers were not responding.

The Trojan is able to inject its malicious code into the address spaces of system processes:


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe]
    "Debugger" = "winr.exe"
  2. Reboot the computer.
  3. Delete the following file:
  4. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
  5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

SHA1: 4FE30AD373ACD5C073913624747985738EF7EF57

Bookmark and Share

Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.

Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).

This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.

Other versions


Trojan-Downloader.Win32.Agent.ejui (Kaspersky Lab) is also known as:

  • Trojan: Generic.dx!tqa (McAfee)
  • Mal/FakeAV-BT (Sophos)
  • Trojan.Agent-168876 (ClamAV)
  • Trj/Downloader.MDW (Panda)
  • Trojan:Win32/Remhead (MS(OneCare))
  • Trojan.DownLoader1.19025 (DrWeb)
  • Win32/Spy.Bebloh.E trojan (Nod32)
  • Trojan.Fakealert.16193 (BitDef7)
  • Trojan.DL.Agent!F8xoOL7WIHA (VirusBuster)
  • Win32:Malware-gen (AVAST)
  • Trojan.SuspectCRC (Ikarus)
  • Generic18.BYPD (AVG)
  • TR/Agent.AVN.1 (AVIRA)
  • Trojan.Zbot (NAV)
  • W32/Smalltroj.ZJIS (Norman)
  • Trojan.Win32.Generic.522ABD94 (Rising)
  • Trojan-Downloader.Win32.Agent.ejui [AVP] (FSecure)
  • TROJ_DLOADR.EXE (TrendMicro)
  • Trojan-Downloader.Win32.Agent (Sunbelt)
  • Trojan.DL.Agent!F8xoOL7WIHA (VirusBusterBeta)