Trojan-Downloader.VBS.Agent.n
From Total Malware Info
Trojan program, which uses vulnerability in the Microsoft Internet Explorer to download files from the Internet and to execute them on the infected machine. The program is encrypted VBS script embedded in HTML page. The file size is 899 bytes.
Payload
When the infected page is opened the Trojan begins to register in the user’s system ActiveX objects with the following unique identifiers:
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{BD96C556-65A3-11D0-983A-00C04FC29E36}
{AB9BCEDD-EC7E-47E1-9322-D4A210617116}
{0006F033-0000-0000-C000-000000000046}
{0006F03A-0000-0000-C000-000000000046}
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}
{6414512B-B978-451D-A0D8-FCFDF33E833C}
{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
{06723E09-F4C2-43c8-8358-09FCD1DB0766}
{639F725F-1B2D-4831-A9FD-874847682010}
{BA018599-1DB3-44f9-83B4-461454C84BF8}
{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}
{E8CCCDDF-CA28-496b-B050-6C07C962476B}
Then Trojan uses the ActiveX Object "Microsoft.XMLHTTP" to download the file "package.exe" from this link: http://***/tool/package.exe?affid=477 (at the moment of writing, this link was not working.) and saves it with the name "svcipa.exe" in such directories:
c:\ c:\tmp c:\temp c:\winnt\temp c:\windows\temp
After that Trojan launches downloaded file for execution.
Removal instructions
If your computer was not protected by Anti-Virus and has been infected by this malware, it is necessary to perform following actions to remove it:
- Delete the original Trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
- Delete files (if they were created):
c:\svcipa.exe c:\tmp\svcipa.exe c:\temp\svcipa.exe c:\winnt\temp\svcipa.exe c:\windows\temp\svcipa.exe
- Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer (download a trial version).
