English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Dropper.Win32.Agent.aiad

Detected Feb 26 2009 18:52 GMT
Released Feb 26 2009 23:24 GMT
Published Oct 25 2010 09:39 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 33 400 bytes in size. It is packed using UPX. The unpacked file is approximately 73 KB in size. It is written in Delphi.


Payload

Once launched, the Trojan performs the following actions:

  • It deletes the following file:
    %Program Files%\Internet Explorer\JavaNe64.Bet
  • It copies its body to a file:
    %Program Files%\Internet Explorer\JavaNe64.Bet
    The first 2 bytes of the file are replaced with
    4B 4F
  • It extracts a file from its body and saves it under the following name:
    %Program Files%\Internet Explorer\BoboChen.jsp
    (50 296 bytes; detected by Kaspersky Anti-Virus as "Worm.Win32.AutoRun.aazu") The file is created with the "hidden" and "system" attributes.

    The extracted library contains functionality that enables the malicious user to hijack accounts of the Chinese Tencent QQ instant messaging service.

  • It launches its original file with the "Z" parameter. In addition to the above-mentioned actions, it creates in the system a window called "Jsxtxut" (window class: "Button"). Messages sent to the created window are processed using the "MgHookOp" and "MgHookCs" functions from the previously extracted library.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following files:
    %Program Files%\Internet Explorer\JavaNe64.Bet
    %Program Files%\Internet Explorer\BoboChen.jsp 
    
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: 4DA4FC0A5FB8A56792FC45376EB63499
SHA1: F25E622929AE4C77C234CFF0C15E81C09C4880A2


Bookmark and Share
Share
Trojan-Dropper

Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.

This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).

Such programs are used by hackers to:

  • secretly install Trojan programs and/or viruses
  • protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.

Other versions

Aliases

Trojan-Dropper.Win32.Agent.aiad (Kaspersky Lab) is also known as:

  • Trojan: PWS-OnlineGames.e (McAfee)
  • Troj/QQPass-Gen (Sophos)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/AutoRun.D.gen!Eldorado (FPROT)
  • Trojan.PWS.Lineage.origin (DrWeb)
  • Trojan.PWS.Lineage.6464 (DrWeb)
  • a variant of Win32/PSW.Delf.NLZ trojan (Nod32)
  • Trojan.OnlineGames.Gen.65 (VirusBuster)
  • PSW.Delf.DAP (AVG)
  • TR/ATRAPS.Gen (AVIRA)
  • Infostealer (NAV)
  • SandBox found 'W32/Malware'. Infection details: [ General information ] (Norman)
  • Trojan.PSW.Win32.QQPass.eal (Rising)
  • Trojan-Dropper.Win32.Agent.aiad [AVP] (FSecure)
  • Mal_Qqhook (TrendMicro)
  • Trojan.OnlineGames.Gen.65 (VirusBusterBeta)