English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent2.dmvt

Detected May 07 2011 12:20 GMT
Released May 07 2011 17:00 GMT
Published Sep 19 2011 13:45 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

A trojan program designed to steal the user's authentication data. It is a Windows application (PE-EXE file). 6144 bytes. UPX packed. Unpacked size – around 12 kB. Written in C++.


Payload

After launching, the trojan checks for the following branch in the system registry:

[HKCU\Software\Classes\CLSID\{82404416-4C60-47F8-BA06-90BA7261C3AE}\InprocServer32]
If the branch is missing, it performs the following actions:
  • the body of the trojan is copied to the current user's temporary file directory:
    %Temp%\Procmon.exe
  • The copy created is launched with the "loop" parameter.

When launching with the "loop" parameter, the trojan completes the processes with the "duospeak" substring in the names of their executable files. It then creates and launches the shell script "c:\test.bat" with the following content:

:try
del "<full path to the original trojan file>""
 if exist "<full path to the original trojan file>" goto try
 del %0
which results in the deletion of the original trojan file after it shuts down. The script is also deleted.

If this system registry branch is found, the trojan carries out the following actions:

  • it reads the key value:
    [HKCU\Software\Classes\CLSID\{82404416-4C60-47F8-BA06-90BA7261C3AE}\InprocServer32]
    "default"
    
    This key saves the string containing the path to a DLL file.
  • It deletes the following file:
    <Path>\YYCtrl.dll
    The <Path> is made up of the previously read strings by deleting the last 14 symbols.
  • It retrieves the following file from its body:
    <Path>\YYCtrl.dll
    (4608 bytes; detected by Kaspersky Antivirus as "Trojan.Win32.Agent2.dmuw") The file is created with the "hidden" attribute.
  • It modifies the library
    <Path>\msvcr71.dll
    writing the previously extracted library into the code loaded for a particular process. The malicious library "YYCtrl.dll" is therefore entered into the address space for all of the loaded "msvcr71.dll" processes.
  • It creates and runs the previously described "c:\test.bat" script, and then shuts down.

Having loaded the "duospeak.exe" process into the address space, the "YYCtrl.dll" library allows for the information entered by the user in the following window classes to be tracked:

YYMainWnd
YYLogin
Edit
The data collected is sent to the server in HTTP-requests:
124.***.56.12
121.***.13.22


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using Task Manager, end the "duospeak.exe" process.
  2. Delete the following files:
    %Temp%\Procmon.exe
    <Path>\YYCtrl.dll
    
  3. Restore the original file contents:
    <Path>\msvcr71.dll
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: 7ACC4753C7A39E0F3E70C46DFCEF7E28
SHA1: 3DA90B2175444CC8DC10375C83B3D414A69F21BC


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent2.dmvt (Kaspersky Lab) is also known as:

  • Troj/BHO-SQ (Sophos)
  • Trojan.MulDrop2.17522 (DrWeb)
  • Win32/PSW.OnLineGames.PIO trojan (Nod32)
  • Generic.Malware.Bdld!!.ACF1CFDA (BitDef7)
  • Trojan-PWS.OnlineGames3 (Ikarus)
  • PSW.OnlineGames3.BIDB (AVG)
  • TR/ATRAPS.Gen (AVIRA)
  • Infostealer (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Win32.Generic.12872284 (Rising)