Trojan.Win32.Agent.dcc

Technical Details

Installation

Once launched, the Trojan copies its executable file as shown below:

%System%\drivers\runtime.sys

In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:

[HKLM\System\CurrentControlSet\Services\runtime]

Once installed, the Trojan deletes its original file.


This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.

Payload

The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:

%System%\ntoskrnl.exe
%System%\ntkrnlpa.exe
%System%\ntkrnlmp.exe
%System%\ntkrpamp.exe

It also masks the presence of processes related to these files.

The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:

208.66.194.***
66.246.252.***
208.66.195.***
74.53.42.***
74.53.42.***

Downloaded files will be saved as:

%TEMP%\<rnd>.exe

with <rnd> standing for a random sequence of numbers.

Once downloaded, the files will be launched for execution.

Removal Instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the following system registrykey:
    [HKLM\System\CurrentControlSet\Services\runtime]
  3. Delete the following file:
    %System%\drivers\runtime.sys
  4. Delete the contents of %Temp%
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).