Trojan.Win32.Agent.eory

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 26 625 bytes in size. It is written in C++.


Installation


The Trojan copies its body to the Windows system directory as "iqum.tco":

%System%\iqum.tco

In order to ensure that it is launched automatically when the system is rebooted, the Trojan adds an entry to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe rundll32.exe iqum.tco lqpjxwe"

Payload

If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:

[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"Level" = "1"
"AccessVBOM" = "1"

It also executes a macro, through which the original body of the Trojan is launched for execution.


To ensure that its process is unique within the system, the Trojan creates a unique identifier:

54774082920a5dc9d

Then, the Trojan creates a process named "svchost.exe" and injects its malicious code into the process's address space:
svchost.exe

The Trojan sends a request to the following address:
http://repu***cracy.cn/myxxx/bb.php
At the time of writing, this link was inactive.


In response, it receives a configuration file for its subsequent functionality.


Links received from the configuration file for downloading other malicious files are saved by the Trojan in the following registry key:

[HKCR\idid]

Removal Instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    %System%\iqum.tco

  3. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%
  4. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKCR\idid]

  5. If necessary, restore the values of the "Level" and "AccessVBOM" parameters in the system registry key (see What is a system registry and how do I use it?):
    [HKCU\Software\Microsoft\Office\11.0\Word\Security]
    "Level"
    "AccessVBOM"
    

  6. Restore the value of the system registry key parameter to the following (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe"
    

  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).