English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Dropper.Win32.Agent.dvyh

Detected Jan 06 2011 15:13 GMT
Released Jan 06 2011 22:36 GMT
Published Feb 22 2011 14:01 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan installs and launches other programs on the infected computer without the user's knowledge. It is a Windows .Net application (PE EXE file). It is 3 889 352 bytes in size.


Payload

Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:

%Temp%\KasKeygenRevised.exe
This file is 479 232 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.VB.aaen.
%Temp%\1234.exe
This file is 2 196 545 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.dvyg.

The Trojan then launches the extracted files for execution and ceases running. The file "KasKeygenRevised.exe", which is detected as Trojan.Win32.VB.aaen, imitates key generation for Kaspersky Lab products such as: Kaspersky Anti-Virus 2010, Kaspersky Internet Security 2010, Kaspersky Simple Scan 2010. The program's main windows look like this:

The file "1234.exe", which is detected as Trojan-Dropper.Win32.Agent.dvyg, has the following payload:

Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:

%Temp%\instant.exe
This file is 1 116 397 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.MSIL.Agent.aor.
%Temp%\server.exe
This file is 289 792 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Llac.gfu.

The Trojan then launches the extracted files for execution and ceases running. The file "instant.exe", which is detected as Trojan.MSIL.Agent.aor, has the following payload:

The Trojan executes a functionality that prevents the demonstration of its payload when launched in the following virtual environments:

VMWare
VirtualPC
VirtualBox
Sandboxie
This Trojan program is designed to steal user registration information for the following software products:
Splinter Cell Pandora Tomorrow   
Splinter Cell Chaos Theory  
Call of Duty   
Call of Duty United Offensive   
Call of Duty 2   
Call of Duty 4   
COD4 Steam Version   
Call of Duty WAW   
Dawn of War   
Dawn of War - Dark Crusade   
Medieval II Total War   
Adobe Goolive   
Nero 7   
ACDSystems PicAView   
Act of War   
Adobe Photoshop 7   
Advanced PDF Password Recovery   
Advanced PDF Password Recovery Pro   
Advanced ZIP Password Recovery   
Anno 1701   
Ashamopp WinOptimizer Platinum   
AV Voice Changer   
Battlefield(1942)   
Battlefield 1942 Secret Weapons of WWII   
Battlefield 1942 The Road to Rome   
Battlefield 2   
Battlefield(2142)   
Battlefield Vietnam   
Black and White   
Black and White 2   
Boulder Dash Rocks   
Burnout Paradise   
Camtasia Studio 4 
Chrome   
Codec Tweak Tool   
Command and Conquer Generals   
Command and Conquer Generals Zero Hour   
Red Alert 2   
Red Alert   
Command and Conquer Tiberian Sun   
Command and Conquer 3   
Company of Heroes   
Counter-Strike   
Crysis   
PowerDVD   
PowerBar   
CyberLink PowerProducer   
Day of Defeat   
The Battle for Middle-earth II   
The Sims 2   
The Sims 2 University   
The Sims 2 Nightlife   
The Sims 2 Open For Business   
The Sims 2 Pets   
The Sims 2 Seasons   
The Sims 2 Glamour Life Stuff   
The Sims 2 Celebration Stuff   
The Sims 2 H M Fashion Stuff   
The Sims 2 Family Fun Stuff   
DVD Audio Extractor
Empire Earth II   
F.E.A.R   
F-Secure   
FARCRY   
FARCRY 2   
FIFA 2002   
FIFA 2003   
FIFA 2004   
FIFA 2005   
FIFA 07   
FIFA 08   
Freedom Force   
Frontlines Fuel of War Beta   
Frontlines  Fuel of War   
GetRight   
Global Operations   
Gunman   
Half-Life   
Hellgate London   
Hidden & Dangerous 2   
IGI 2 Retail   
InCD Serial   
IG2   
iPod Converter (Registration Code)   
iPod Converter (User Name)   
James Bond 007 Nightfire   
Status Legends of Might and Magic   
Macromedia Flash 7   
Macromedia Fireworks 7   
Macromedia Dreamweaver 7   
Madden NFL 07   
Matrix Screensave   
Medal of Honor  Airborne   
Medal of Honor  Allied Assault   
Medal of Honor  Allied Assault  Breakthrough   
Medal of Honor  Heroes 2   
mIRC   
Nascar Racing 2002   
Nascar Racing 2003   
NHL 2002   
NBA LIVE 2003   
NBA LIVE 2004   
NBA LIVE 07   
NBA Live 08   
Need for Speed Carbon   
Need For Speed Hot Pursuit 2   
Need for Speed Most Wanted   
Need for Speed ProStreet   
Need For Speed Underground   
Need For Speed Underground 2   
Nero - Burning Rom   
Nero 7   
Nero 8   
NHL 2002   
NHL 2003   
NHL 2004   
NHL 2005   
NOX   
Numega SmartCheck   
OnlineTVPlayer 
O&O Defrag 8.0 
Partition Magic 8.0   
Passware Encryption Analyzer 
Passware Windows Key 
PowerDvD   
PowerStrip   
Pro Evolution Soccer 2008   
Rainbow Six III RavenShield   
Shogun Total War Warlord Edition   
Sid(Meier) 's Pirates!   
Sid(Meier) 's Pirates!   
Sim City 4 Deluxe   
Sim City 4   
Sniffer Pro 4.5   
Soldiers Of Anarchy   
Soldiers Of Anarchy   
Stalker - Shadow of Chernobyl   
Star Wars Battlefront II (v1.0)   
Star Wars Battlefront II (v1.1)   
Steganos Internet Anonym VPN   
Splinter Cell Pandora Tomorrow   
Surpreme Commander   
S.W.A.T 2   
S.W.A.T 3   
S.W.A.T 4   
TechSmith SnagIt 
Texas Calculatem 4 
The Battle for Middle-earth   
The Orange Box   
The Orange Box   
TMPGEnc DVD Author   
TuneUp 2007 
TuneUp 2008 
TuneUp 2009 
Winamp 
The Sims 3   
Spore   
Mirrors Edge   
GTA IV   
FIFA 2009   
Pro Evolution Soccer 2009   
FIFA 2008   
Nero 9   
Mirc 
Orange Box   
In this case, the registration information consists of the values of the parameters named:
Name
Serial
Registration Code
User Name
Username
Company
License
Owner
Key
Serial Key
The collected data is saved to the following file:
%Temp%\TMP.dat
and sent to the malicious user's email address on the "@gmail.com" server. To determine the infected computer's IP address, the Trojan accesses the following service:
www.whatismyip.com
During its operations, the Trojan extracts from its body the following files:
%WorkDir%\System.Data.SQLite.DLL (886 272 bytes)
%Temp%\melt.tmp (6 bytes)
The file "System.Data.SQLite.DLL" is an ADO.NET provider assembly for working with SQLite. The following string is entered into the file "melt.tmp":
melt
The Trojan modifies the file:
%System%\drivers\etc\hosts
entering the following strings into it:
##Do not touch this file, changing it will cause SERIOUS damage to 
your computer
127.0.0.1 www.rsbot.org/vb/
127.0.0.1 rsbot.org/vb/
127.0.0.1 85.25.184.47
127.0.0.1 www.rsbot.com
127.0.0.1 www.rsbot.com
127.0.0.1 www.rsbot.org
127.0.0.1 www.rsbot.org
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.virusscan.jotti.org/
127.0.0.1 www.virusscan.jotti.org/en
127.0.0.1 www.virusscan.jotti.org/en
127.0.0.1 www.rsbots.net
127.0.0.1 rsbots.net
127.0.0.1 www.RSbots.net
127.0.0.1 www.AutoFighter.org
127.0.0.1 www.RSBotting.com
127.0.0.1 www.RSTrainers.com
127.0.0.1 www.CodeSpace.net
127.0.0.1 www.RsAutoCheats.com
127.0.0.1 www.XxBots.net
127.0.0.1 www.AutoFarmer.org
127.0.0.1 www.kMiner.org 
Thereby, access to the listed resources is blocked.

The file "server.exe", which is detected as Trojan.Win32.Llac.gfu, has the following payload:
  • Installation: Once launched, the Trojan creates a copy of its file in the Windows system directory with the name
    %System%\install\server.exe
    In order to ensure that it is launched automatically each time the system is restarted, the Trojan adds a link to its executable file in the system registry autorun key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer\Run]
    "Policies" = "%System%\install\server.exe"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKLM" = "%System%\install\server.exe"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer\Run]
    "Policies" = "%System%\install\server.exe"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKCU" = "%System%\install\server.exe"
    
    [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
    {VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}]
    "StubPath" =  "%System%\install\server.exe Restart"
    
  • Payload:

When any of the following conditions are fulfilled, the Trojan ceases running:

  1. Detection of the following libraries in its address space:
    dbghelp.dll
    sbiedll.dll
    
  2. Launching of the Trojan on a virtual Vmware machine
  3. Presence of the process:
    VBoxService.exe
    thereby the Trojan prevents its body being launched on a virtual Oracle Corporation machine
  4. If the username on the computer is:
    CurrentUser
  5. If the value of the system registry key parameter
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
    "ProductId" = 
    is one of the following:
    76487-337-8429955-22614
    76487-644-3177037-23510
    55274-640-2673064-23950
    
    In addition, the Trojan employs various anti-debugging hooks.
During its execution, it creates unique identifiers with the names:
_x_X_UPDATE_X_x_
_x_X_PASSWORDLIST_X_x_
_x_X_BLOCKMOUSE_X_x_
0BP3RCBQG7BM1V
0BP3RCBQG7BM1V_PERSIST
It creates a file in the current user's Windows temporary directory:
%Temp%\XX—XX--XX.txt — 227744 bytes
This file contains a decrypted configuration file for the Trojan's operations, as well as an executable file, which is injected into the address space of the process:
explorer.exe
The Trojan launches the process for the user's default browser. Information about the browser is obtained from the registry key:
[HKCR\http\shell\open\command]
Malicious code is also injected into the browser process.

A file is injected into the address space of the processes in order to restore the Trojan's malicious file and execute the commands obtained from the malicious user's server:

dc-hac***o-ip.info:3737

The malicious user can obtain the following information from the user's computer:

  • List of files on the user's computer;
  • List of open windows;
  • List of launched processes;
  • List of launched services;
  • Information about the equipment in the user's computer;
  • Information about the registry on the user's computer;
  • Information about installed programs;
  • List of open ports;
  • It has a function for browsing the user's desktop;
  • Web camera display;
  • Sound from the user's microphone;
  • Executing a keylogger function to obtain keys pressed on the keyboard and mouse;
  • Passwords saved in browsers; In addition, it can send commands to execute the following actions:
  • Launch Socks Proxy and HTTP Proxy servers;
  • Open various pages in the user's browser;
  • Download various files to the user's computer and launch them for execution;
  • Obtain access to the command line;
  • Execute a search for files on the user's computer;
  • Obtain access to the clipboard;
  • Obtain access to chat during use of the application Windows Live Messenger;
  • Change the malicious user's server address;
  • Update settings;
  • Relaunch the malicious file;
  • Cease its own execution and delete its files.

This malicious file was created using the program "CyberGate RAT v1.04.8", which is a utility for remote administration. The developers' website:
http://website.cybe***-rat.org


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the following processes:
    explorer.exe
    iexplore.exe (or the process for the browser used 
    on the computer by default)
    
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following files:
    %Temp%\1234.exe
    %Temp%\KasKeygenRevised.exe
    %Temp%\instant.exe
    %Temp%\server.exe
    %WorkDir%\System.Data.SQLite.DLL 
    %Temp%\melt.tmp 
    %Temp%\TMP.dat
    %System%\install\server.exe
    %Temp%\XX—XX--XX.txt
    
  4. Delete the following system registry key parameters:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer\Run]
    "Policies" = "%System%\install\server.exe"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKLM" = "%System%\install\server.exe"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer\Run]
    "Policies" = "%System%\install\server.exe"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKCU" = "%System%\install\server.exe"
    
    [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
    {VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}]
    "StubPath" =  "%System%\install\server.exe Restart"
    
  5. Empty the Temporary Internet Files directory:
    %Temporary Internet Files%
  6. Restore the original content of the file:
    %System%\drivers\etc\hosts
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan-Dropper

Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.

This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).

Such programs are used by hackers to:

  • secretly install Trojan programs and/or viruses
  • protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.

Other versions