Skip to content. | Skip to navigation

Personal tools
You are here: Home latest information Trojan-Dropper.Win32.Agent.albv

        
Log in


Forgot your password?
New user?
OpenID Log in

 

Trojan-Dropper.Win32.Agent.albv

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size.

Installation
The Trojan copies its executable file as follows:

%WinDir%\system\svhost.exe

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe"

Payload
The Trojan adds its executable file to the Windows firewall list of trusted applications. It then launches the “iexplore.exe” process and injects its code into this process.

It also attempts to terminate the following processes:

avesvc.exe
ashdisp.exe
avgrsx.exe
bdss.exe
spider.exe
avp.exe
nod32krn.exe
cclaw.exe
dvpapi.exe
ewidoctrl.exe
mcshield.exe
pavfires.exe
almon.exe
ccapp.exe
pccntmon.exe
fssm32.exe 		issvc.exe
vsmon.exe
cpf.exe
ca.exe
tnbutil.exe
avp.exe
mpfservice.exe
npfmsg.exe
outpost.exe
tpsrv.exe
pavfires.exe
kpf4ss.exe
persfw.exe
vsserv.exe
smc.exe

It also attempts to disable the following services associated with antivirus and firewall programs:

AntiVir
Avast Antivirus
AVG Antivirus
BitDefender
Dr.Web
Kaspersky Antivirus
Nod32
Norman
Authentium Antivirus
Ewido Security Suite
McAfee VirusScan
Panda Antivirus/Firewall
Sophos
Symantec/Norton
PC-cillin Antivirus
F-Secure
Norton Personal Firewall
ZoneAlarm
 Comodo Firewall
eTrust EZ Firewall
F-Secure Internet Security
Kaspersky Antihacker
McAfee Personal Firewall
Norman Personal Firewall
Outpost Personal
Firewall
Panda Internet Seciruty Suite
Panda Anti-Virus/Firewall
Kerio Personal Firewall
Tiny Personal Firewall
BitDefender / Bull Guard Antivirus
Sygate Personal Firewall

The Trojan also harvests passwords to web sites saved to the cache of the browsers shown below:
  • Mozilla FireFox
  • Internet Explorer
It also harvests passwords and account data for the following IM clients:
  •  Trillian
  •  Miranda
  •  Yahoo Messenger
  •  MySpace IM
  •  Gaim
The Trojan has a built-in keylogger and can make screenshots of the user’s desktop. These screenshots are saved to the Temporary directory as <N> with <N> being a decimal number.

Harvested data is sent to the malicious user’s server:

212.158.160.***

Propagation via removable media

The Trojan copies its executable file to the root of each removable drive under the following name:
<X>:\wlan.exe, with X being the disk

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:
<X>:\autorun.inf

This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter: 
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe"

  1. Delete the following file:
%WinDir%\system\svhost.exe
  1. Empty the temporary directory (%Temp%).
  2. Delete the files shown below from all removable storage media: 
<X>:\autorun.inf
<X>:\wlan.exe,

with X being the disk
  1. Update your antivirus databases and perform a full scan of the computer
Source : viruslist.com 
5.0
No rating set
Document Actions
Share |