Trojan.Win32.Agent2.ddnd

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using Task Manager, end the trojan process.
  2. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  3. Delete the system registry key (how to work with the registry?):
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<name of the executable trojan file without extension>" = "<full path to the original trojan file>"
    

  4. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  5. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: FED763A86628E820EEE6C9C8547FECB1
SHA1: C60D2E07D025B7AB09FF4B10999838758BF24B7A

Payload

After launching, the trojan carries out the following actions in an infinite loop:

  • it reads the HTML-page content at the following address:
    http://www.aca****ctreks.com/postinfo.html

  • It analyzes the data received about the links to download the files.
  • It downloads the files saved in the current user's temporary file directory from the links received as
    %Temp%\<FileName>.exe

    The <FileName> is taken from the link.
  • If the download is successful, the file is launched for execution.


Depending on the result of the download, the time between the loop iterations may be 8, 10, 90, or 100 minutes.

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a Windows application (PE-EXE file). 8704 bytes. Written in C++.


Installation


The trojan creates a system registry key to automatically launch its original file when the system is next loaded up:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<name of the executable trojan file without extension>" = "<full path to the original trojan file>"