Trojan-Downloader.VBS.Agent.aby

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    c:\windows\Resources\1001.exe
    c:\windows\Resources\1002.exe
    c:\windows\Resources\1003.exe
    c:\windows\Resources\1004.exe
    c:\windows\Resources\1005.exe
    c:\windows\Resources\1006.exe
    c:\windows\Resources\1007.exe
    c:\windows\Resources\1008.exe
    c:\windows\Resources\1009.exe
    c:\windows\Resources\1010.exe
    

  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: C68E13B3110B7108C01DC3807A0070E6
SHA1: 4481B06DE14144D5F39005ED011D84EF28AE2B47

Payload

Once launched, the Trojan downloads files from the following URL addresses:

http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1001.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1002.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1003.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1004.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1005.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1006.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1007.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1008.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1009.gif
http://adminlz***600.org/img/T1gANoXmXwXXcGRBI1_1010.gif

At the time of writing, these links were inactive. It saves downloaded files under the following names, respectively:
c:\windows\Resources\1001.exe
c:\windows\Resources\1002.exe
c:\windows\Resources\1003.exe
c:\windows\Resources\1004.exe
c:\windows\Resources\1005.exe
c:\windows\Resources\1006.exe
c:\windows\Resources\1007.exe
c:\windows\Resources\1008.exe
c:\windows\Resources\1009.exe
c:\windows\Resources\1010.exe

The Trojan then launched downloaded files for execution and in a hidden mode launches Internet Explorer where it opens the following link:
http://adminlz***600.org/img/gg.htm?vbs31

Technical Details

This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Visual Basic script. It is 3564 bytes in size.