English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.fkeh

Detected May 12 2010 20:02 GMT
Released May 13 2010 02:39 GMT
Published Sep 19 2011 12:33 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 7710 bytes. Written in C++.


Payload

After launching, the trojan retrieves the file saved in the current user's temporary file directory "%Temp%" as

%Temp%\install_temp.bat from its body (25 bytes)
The extracted file is a shell script and contains the following commands:
@echo off
time 0:00 >nul
The trojan then launches the following script:
cmd.exe /c "%Temp%\install_temp.bat"
The system time is changed to "0:00". The trojan then shuts down.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the following file:
    %Temp%\install_temp.bat
  3. Install the current system time.
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: FE92DF16A7949A5C2DE6A2EA313250F6
SHA1: 60D3A0FB79A59BF9DF7C7C89C692C06264992882


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.fkeh (Kaspersky Lab) is also known as:

  • Trojan-Ransom.Win32.XBlocker.aby (Kaspersky Lab)
  • Trojan: Generic.dx!uri (McAfee)
  • Trojan:Win32/Bumat!rts (MS(OneCare))
  • Trojan.Starter.1358 (DrWeb)
  • Win32/Small.NHZ trojan (Nod32)
  • Trojan.Generic.3789335 (BitDef7)
  • Win32:Trojan-gen (AVAST)
  • Injector.EZ (AVG)
  • Trojan.Agent!B6XphHN51ng (VirusBusterBeta)