Internet threat level: 1
Home→Descriptions→Trojan-Downloader.Win32.Agent.ejui
Trojan-Downloader.Win32.Agent.ejui
| Detected | Aug 24 2010 08:47 GMT |
| Released | Aug 24 2010 14:59 GMT |
| Published | Mar 16 2011 10:22 GMT |
Payload
Removal instructions
Technical Details
This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 53 760 bytes in size. It is written in Delphi.
Installation
Once launched, the Trojan copies its body to the following file:
%System%\winr.exeAt the same time, this system registry key is created:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\userinit.exe] "Debugger" = "winr.exe"Thereby, the Trojan will be launched as a debugger each time the process "userinit.exe" starts.
The original Trojan file from the installation stage is deleted.
Payload
To ensure that its process is unique within the system, the Trojan creates a unique ID with the name "6A57BEED". After this, to check for a connection to the Internet, it initiates a connection to the site:
google.comIf there is a connection, the Trojan connects to the hosts:
taw***do.cc uer***mo.ccOther malicious programs may be downloaded from these hosts to the infected computer. At the time of writing, these servers were not responding.
The Trojan is able to inject its malicious code into the address spaces of system processes:
csrss.exe svchost.exe winlogon.exe explorer.exe
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe] "Debugger" = "winr.exe"
- Reboot the computer.
- Delete the following file:
%System%\winr.exe
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
MD5: F6AA4BCCAA4DA8DAC3F32B3AEB315687
SHA1: 4FE30AD373ACD5C073913624747985738EF7EF57
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.
Trojan-Downloader.
- Trojan:
Generic. dx!tqa (McAfee) - Mal/FakeAV-BT (Sophos)
- Trojan.
Agent-168876 (ClamAV) - Trj/Downloader.
MDW (Panda) - Trojan:
Win32/Remhead (MS(OneCare)) - Trojan.
DownLoader1. 19025 (DrWeb) - Win32/Spy.
Bebloh. E trojan (Nod32) - Trojan.
Fakealert. 16193 (BitDef7) - Trojan.
DL. Agent!F8xoOL7WIHA (VirusBuster) - Win32:
Malware-gen (AVAST) - Trojan.
SuspectCRC (Ikarus) - Generic18.
BYPD (AVG) - TR/Agent.
AVN. 1 (AVIRA) - Trojan.
Zbot (NAV) - W32/Smalltroj.
ZJIS (Norman) - Trojan.
Win32. Generic. 522ABD94 (Rising) - Trojan-Downloader.
Win32. Agent. ejui [AVP] (FSecure) - TROJ_DLOADR.
EXE (TrendMicro) - Trojan-Downloader.
Win32. Agent (Sunbelt) - Trojan.
DL. Agent!F8xoOL7WIHA (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.