Internet threat level: 1
Home→Descriptions→Trojan-Dropper.Win32.Agent.albv
Trojan-Dropper.Win32.Agent.albv
| Detected | Mar 29 2009 16:03 GMT |
| Released | Mar 29 2009 19:47 GMT |
| Published | Apr 15 2009 07:34 GMT |
Payload
Removal instructions
Technical Details
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size.
Installation
The Trojan copies its executable file as follows:
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
"WSVCHO" = "%WinDir%\system\svhost.exe"
Payload
The Trojan adds its executable file to the Windows firewall list of trusted applications. It then launches the “iexplore.exe” process and injects its code into this process.
It also attempts to terminate the following processes:
avesvc.exe ashdisp.exe avgrsx.exe bdss.exe spider.exe avp.exe nod32krn.exe cclaw.exe dvpapi.exe ewidoctrl.exe mcshield.exe pavfires.exe almon.exe ccapp.exe pccntmon.exe fssm32.exe issvc.exe vsmon.exe cpf.exe ca.exe tnbutil.exe avp.exe mpfservice.exe npfmsg.exe outpost.exe tpsrv.exe pavfires.exe kpf4ss.exe persfw.exe vsserv.exe smc.exe
It also attempts to disable the following services associated with antivirus and firewall programs:
Avast Antivirus
AVG Antivirus
BitDefender
Dr.Web
Kaspersky Antivirus
Nod32
Norman
Authentium Antivirus
Ewido Security Suite
McAfee VirusScan
Panda Antivirus/Firewall
Sophos
Symantec/Norton
PC-cillin Antivirus
F-Secure
Norton Personal Firewall
ZoneAlarm
Comodo Firewall
eTrust EZ Firewall
F-Secure Internet Security
Kaspersky Antihacker
McAfee Personal Firewall
Norman Personal Firewall
Outpost Personal Firewall
Panda Internet Seciruty Suite
Panda Anti-Virus/Firewall
Kerio Personal Firewall
Tiny Personal Firewall
BitDefender / Bull Guard Antivirus
Sygate Personal Firewall
The Trojan also harvests passwords to web sites saved to the cache of the browsers shown below:
Internet Explorer
It also harvests passwords and account data for the following IM clients:
Trillian Miranda Yahoo Messenger MySpace IM Gaim
The Trojan has a built-in keylogger and can make screenshots of the user’s desktop. These screenshots are saved to the Temporary directory as <N> with <N> being a decimal number.
Harvested data is sent to the malicious user’s server:
212.158.160.***Propagation via removable media
The Trojan copies its executable file to the root of each removable drive under the following name:
<X>:\wlan.exe, with X being the disk
In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:
This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the malicious program’s process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe" - Delete the following file:
%WinDir%\system\svhost.exe
- Empty the temporary directory (%Temp%).
- Delete the files shown below from all removable storage media:
<X>:\autorun.infwith X being the disk
<X>:\wlan.exe, - Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.
This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).
Such programs are used by hackers to:
- secretly install Trojan programs and/or viruses
- protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.
Trojan-Dropper.
- Virus:
W32/IRCbot. gen. a (McAfee) - W32/Rbot-GXQ (Sophos)
- W32/IRCBot.
CKA. worm (Panda) - W32/Heuristic-210!Eldorado (FPROT)
- Worm:
Win32/Neeris. AT (MS(OneCare)) - BackDoor.
IRC. Sdbot. 4756 (DrWeb) - Win32/IRCBot.
AMC trojan (Nod32) - Backdoor.
Bot. 91716 (BitDef7) - Packed/FRBR (VirusBuster)
- Win32:
Crypt-DXU [Trj] (AVAST) - Packer.
Krunchy (Ikarus) - SHeur2.
YJC (AVG) - TR/Dropper.
Gen (AVIRA) - W32.
Spybot. Worm (NAV) - W32/Smalltroj.
dam (Norman) - Trojan.
DL. Win32. Nodef. hc (Rising) - Trojan-Dropper.
Win32. Agent. albv [AVP] (FSecure) - WORM_NEERIS.
A (TrendMicro)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.