Trojan-Downloader.JS.Agent.kd
From Total Malware Info
This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is 39183 bytes in size. It is written in Java Script
Payload
The body of virus is encrypted and located in a specially generated Web page. If such Web page was launched then Trojan executes decryption and injects its code into the memory of the processes which has the following unique identifiers in the system registry:
{BD96C556-65A3-11D0-983A-00C04FC29E30}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}
To execute arbitrary code on the vulnerable system the trojan uses vulnerabilities in such ACTIVEX components:
"WinZIP Fileview" "QuickTime" "WebViewFolderIcon"
and it also uses vulnerability in the library of MS Internet Explorer – "Msdds.dll". The Trojan then employs vulnerability in Internet Explorer to download a file from the following URL:
Using the vulnerability of the "ADODB.Stream" trojan maintains downloaded file into the root of drive C: as "sys <rnd>.exe ":
С:\sys<rnd>.exe
Where "rnd" random letters of English alphabet.
Also, this file will be saved to the Windows system directory as:
%System%\~.exe %System%\cpu.exe
And it will be saved to the upper directory from the original Trojan file as "tm.exe". Then saved files are launching for execution.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete File:
С:\sys<rnd>.exe %System%\~.exe %System%\cpu.exe ..\tm.exe
- Clear directory:
%Temporary Internet Files%
- Update your antivirus databases and perform a full scan of the computer.
