English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent2.ddnd

Detected Mar 03 2011 23:25 GMT
Released Mar 04 2011 06:17 GMT
Published Sep 19 2011 12:57 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a Windows application (PE-EXE file). 8704 bytes. Written in C++.

Installation

The trojan creates a system registry key to automatically launch its original file when the system is next loaded up:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<name of the executable trojan file without extension>" = "<full path to the original trojan file>"


Payload

After launching, the trojan carries out the following actions in an infinite loop:

  • it reads the HTML-page content at the following address:
    http://www.aca****ctreks.com/postinfo.html
  • It analyzes the data received about the links to download the files.
  • It downloads the files saved in the current user's temporary file directory from the links received as
    %Temp%\<FileName>.exe
    The <FileName> is taken from the link.
  • If the download is successful, the file is launched for execution.

Depending on the result of the download, the time between the loop iterations may be 8, 10, 90, or 100 minutes.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using Task Manager, end the trojan process.
  2. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  3. Delete the system registry key (how to work with the registry?):
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<name of the executable trojan file without extension>" = "<full path to the original trojan file>"
    
  4. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  5. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: FED763A86628E820EEE6C9C8547FECB1
SHA1: C60D2E07D025B7AB09FF4B10999838758BF24B7A


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions