Trojan-Dropper.Win32.Agent.albv
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size.
Installation The Trojan copies its executable file as follows:
%WinDir%\system\svhost.exe
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WSVCHO" = "%WinDir%\system\svhost.exe"
Payload
The Trojan adds its executable file to the Windows firewall list of trusted applications. It then launches the “iexplore.exe” process and injects its code into this process.
It also attempts to terminate the following processes:
| avesvc.exe | issvc.exe |
| ashdisp.exe | vsmon.exe |
| avgrsx.exe | cpf.exe |
| bdss.exe | ca.exe |
| spider.exe | tnbutil.exe |
| avp.exe | avp.exe |
| nod32krn.exe | mpfservice.exe |
| cclaw.exe | npfmsg.exe |
| dvpapi.exe | outpost.exe |
| ewidoctrl.exe | tpsrv.exe |
| mcshield.exe | pavfires.exe |
| pavfires.exe | kpf4ss.exe |
| almon.exe | persfw.exe |
| ccapp.exe | vsserv.exe |
| pccntmon.exe | smc.exe |
| fssm32.exe |
It also attempts to disable the following services associated with antivirus and firewall programs:
| AntiVir | Avast Antivirus |
| AVG Antivirus | BitDefender |
| Dr.Web | Kaspersky Antivirus |
| Nod32 | Ewido Security Suite |
| Norman | Authentium Antivirus |
| McAfee VirusScan | Panda |
| nod32krn.exe | mpfservice.exe |
| Antivirus/Firewall | Sophos |
| Symantec/Norton | PC-cillin Antivirus |
| F-Secure | Norton Personal |
| Firewall | ZoneAlarm |
| Antivirus | Sygate Personal Firewall |
| Tiny Personal Firewall | BitDefender / Bull Guard |
| Panda Anti-Virus/Firewall | Kerio Personal Firewall |
| McAfee Personal Firewall | Norman Personal Firewall |
| Outpost Personal Firewall | Panda Internet Seciruty Suite |
| F-Secure Internet Security | Kaspersky Antihacker |
| Comodo Firewall | eTrust EZ Firewall |
The Trojan also harvests passwords to web sites saved to the cache of the browsers shown below:
- Mozilla FireFox
- Internet Explorer
It also harvests passwords and account data for the following IM clients:
- Trillian
- Miranda
- Yahoo Messenger
- MySpace IM
- Gaim
The Trojan has a built-in keylogger and can make screenshots of the user’s desktop. These screenshots are saved to the Temporary directory as <N> with <N> being a decimal number.
Harvested data is sent to the malicious user’s server:
212.158.160.***
Propagation via removable media The Trojan copies its executable file to the root of each removable drive under the following name: <X>:\wlan.exe, with X being the disk
In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk: <X>:\autorun.inf
This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Use Task Manager to terminate the malicious program’s process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe"
4. Delete the following file: %WinDir%\system\svhost.exe
5. Empty the temporary directory (%Temp%).
6. Delete the files shown below from all removable storage media:
<X>:\autorun.inf
<X>:\wlan.exe, with X being the disk
7. Update your antivirus databases and perform a full scan of the computer
Source : VIRUS LIST