Trojan.Win32.Agent2.lmu

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using Task Manager, end the process containing the malicious library in its address space.
  2. Delete the original trojan file (its location on the infected computer will depend on how it got onto the computer).
  3. Delete the following files:
    %Temp%\mpz.tmp
    %Temp%\mpz.s
    %Temp%\r43q34.tmp
    c:\email_sent.txt
    c:\ftp.txt
    c:\email.txt
    

  4. Run a full Kaspersky Antivirus scan with updated antivirus databases (download trial version).



MD5: D807AA04480D1D149F7A4CAC22984188
SHA1: FFD5BE65FD10017E34C11CECD105EBF4AA6C0CD9

Payload

By loading any process to the address space, the malicious library installs a hook to track the messages in the system queue. The following "ws2_32.dll" library functions are also intercepted:

WSASend
send
recv
WSARecv

This allows the trojan to track incoming and outgoing traffic for the infected process, recording the collected data to the following files:
%Temp%\mpz.tmp
%Temp%\mpz.s
%Temp%\r43q34.tmp
c:\email_sent.txt
c:\ftp.txt
c:\email.txt

Technical Details

The trojan is a spyware component. It is a Windows dynamic-link library (PE-DLL file). 5120 bytes. UPX packed. Unpacked size – around 10 kB. Written in C++.