SysChat is a free online computer support community. Ask questions, share resources, contribute knowledge and discuss technology. Join our growing community to access all features. Register Now!

SysChat » Tutorials » Security » How to Detect and Remove Trojan.Win32.Agent.azsy

Security

Guides and tutorials on computer security, antivirus, antispyware, malware, parental control, and privacy protection

Comment
 
LinkBack (5) Tutorial Tools
How to Detect and Remove Trojan.Win32.Agent.azsy

How to Detect and Remove Trojan.Win32.Agent.azsy

Published by KarlM
07-03-2009

Default How to Detect and Remove Trojan.Win32.Agent.azsy

The Trojan.Win32.Agent.azsy program is one of the newer variants of the Trojan.Win32.Agent malware group. It penetrates systems through flaws in firewalls and small security vulnerabilities. Some anti-virus software may flag Trojan.win32.agent.azsy as Trojan-Downloader.Win32.Agent.aoth, which is essentially the same program.

When it gets in, this Trojan starts issuing fake pop-up alerts and system scanners, telling users they have multiple security issues that need to be handled by Personal Antivirus. It tries to scare people into buying and installing a licensed version of Personal Antivirus, which is a rogue anti-spyware program.

In addition to this, this Trojan exposes infected systems to other threats by illicitly creating connections that allow the affected computer to be accessed remotely. Both Trojan.win32.agent.azsy and its affiliated rogue anti-spyware Personal Antivirus are highly-dangerous malware programs that should be removed immediately upon detection. If not removed, these applications may cause your system to freeze and crash, violate your privacy and possibly cause your internet connection quality to deteriorate.

Details:


The actual file is a Windows PE EXE file with a size of 417792 bytes, written in C++, and packed using UPX. The unpacked file is around 439KB in size.

Installation:

Once launched, the Trojan copies its body to the current user’s Windows startup directory:

%Documents and Settings%\<user_name>\Main Menu\Programs\Startup\uninstall.exe

This Trojan delivers its payload when the infected computer is rebooted. After startup, it extracts a file from itself with one of the following names:

%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe

The Trojan ensures that it is launched automatically every time the system is rebooted by modifying the system registry and creating a link to the file it extracted from its body:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"

<rnd1> is a random name chosen from the list below:

EventLog
CrashDump
Init
lsass
RunDll
Regscan
Setup
svchosts
Sound
System
UPNP
TaskMon
Windows

<rnd> is the path to the file extracted from the Trojan shown in the list above.

Upon delivering its payload, the Trojan will erase itself by deleting both its body and its copy:

"%Documents and Settings%\\Main Menu\Programs\Startup\uninstall.exe".

Trojan.32.Agent Manual Removal


If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Open the Task Manager [Ctrl+Alt+Del] and click the Processes tab. Select the malware application’s name (check the .exe list above) and click “End Process” to stop it from running.

2. Delete this system registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"

3. Erase the original Trojan file. Its exact location depends on how the program originally entered the infected system.

4. Delete these files:

%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe

5. Delete all files from the Temporary Internet Files folder.

6. If you don’t have anti-virus program yet, download or buy one and update its virus databases. Do a full scan of the computer.


Comment

Tags
malware, removal, remove, spyware, trojan, win32.agent.azsy




Tutorial Tools

LinkBacks (?)
LinkBack to this Thread: http://www.syschat.com/how-detect-remove-trojan-win32-agent-4778.html
Posted By For Type Date Hits
trojan This thread Refback 09-10-2009 03:55 PM 1
Trojan.Win32.Agent.azsy - Page 3 This thread Refback 09-08-2009 07:56 AM 3
Trojan.Win32.Agent.azsy - Page 3 This thread Refback 09-07-2009 08:47 PM 1
Trojan.Win32.Agent.azsy - Microsoft Operating Systems Forum This thread Refback 09-06-2009 02:35 PM 1
Trojan.Win32.Agent.azsy - Microsoft Windows Vista Community Forums - Vistaheads This thread Refback 09-06-2009 01:04 AM 10

Similar Threads
Tutorial Tutorial Starter Category Comments Last Post
How to Detect and Remove Email-Worm.Win32.Merond.a KarlM Security 0 07-03-2009 08:19 AM
Remove the Google Hijack Virus! KarlM Security 0 06-17-2009 07:06 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are on



» Ads



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54