Trojan-Downloader.Win32.Agent.ici

From Total Malware Info

Jump to: navigation, search

This Trojan is designed to steal a confidential information. It is Windows PE-EXE-file. Original file is 25472 bytes in size.

Installation

Trojan-Downloader.Win32.Diehard.di installs the malware into %System%\drivers under the name Rntm3:

  • <3 letters+2 digits>.sys

The Trojan installs the runtime service, that will be launched in a driver mode each time Windows is rebooted on the victim machine: 

[HKLM\System\CurrentControlSet\Services\<3 letters+2 digits>]
"ImagePath"="%System%\drivers\<3 letters+2 digits>.sys"
"Type"="dword:0x00000001"
"Start"="dword:0x00000000"

It also creates registry keys: 

[HKCR\Software\Microsoft]
"OSVersion"="435015"

The Trojan defines booting into the safe mode: 

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\<3 letters+2 digits>.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\<3 letters+2 digits>.sys]

Payload

Once launched the Trojan his code into address space of svhost.exe. After that it opens different ports from svhost.exe and can be used to send spam by Email-Worm.Win32.Agent.cg.

Removal Instructions

  1. Using Task Manager terminate all of the svhost.exe processes.
  2. Stop the <3 letters+2 digits>.sys service. Type in the comand line:
    • sc stop Rntm3
  3. Delete the original file.
  4. Delete the following files:
    • %System%\drivers\<3 letters+2 digits>.sys
  5. Update your antivirus databases and perform a full scan of the computer.
Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan-Downloader.Win32.Agent.ici"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.