McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Agent.ac (Kaspersky)

• Bck/Agent.E (Panda)

• TROJ_AGENT.AC (Trend)

• Win32.Mersting.B (CA Vet)

• Win32/Agent.AC (Eset)

Characteristics

This detection is for a DLL component which may be installed automatically onto the victim's machine whilst visiting a website.

The filename of the DLL varies, for example:

• COMPCKP.DLL
• CTLAPA.DLL
• CTLJOH.DLL
• D3DKHE.DLL
• HLPJP.DLL
• HLPEO.DLL
• KBDJEF.DLL
• LOG.DLL
• MS.DLL
• MSA.DLL
• WIN.DLL
• WINLG.DLL
• WDM.DLL

Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
  "**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup

The following Registry key modification will also present:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  "AppInit_DLLs"="%SysDir%\(DLL filename).DLL"

This key is modified like this in order to load the DLL into other processes as they are run on the system. Because of this, removal with the specified DATs requires either a restart, or the scanning/cleaning to be performed in Safe Mode.

The DLL file is not malicious by itself but it may be used by a malicious program to export system information from the victim's machine.

Symptoms

Method of Infection

Removal

Stinger
The stand-alone Stinger tool can be used for detection and removal.  Removal requires a reboot.

DAT Files
Use the specified DAT files for detection.  The 4383 DAT files, and higher contain both detection and repair.  However, a reboot is required for repair to complete.

Manual Removal with DAT files
This threat has both stealth and self-preservation capabilities.  The following manual steps are required to deactivate the trojan in memory.

1. Edit the registry
   • Rename the following "Windows" key to "Windows_renamed" here:
     • Before
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows NT\CurrentVersion\Windows
     • After
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows NT\CurrentVersion\Windows_renamed
2. Reboot the system.

At this point, an On-Demand Virus Scan will detect and remove the trojan from FAT/FAT32 partitions. Manual deletion may also be accomplished if the random .DLL filename is known. 

NTFS partitions require the following additional steps

1. Note the detected filename
2. Navigate the System Directory
   1. click START, RUN, type %WinDir%\System32 and hit ENTER
3. Enable show all files
   1. click TOOLS - Folder Options, View, Show Hidden Files and Folders, click OK
4. Change the file permissions for the detected file (as noted above)
   1. Disable the On-Access scanner (right-click the Vshield icon in the task tray and choose disable)
   2. Right-click on the detected .dll file
   3. Uncheck the read-only check box
   4. Click the Security Tab
   5. Make sure Full Control is checked for all entries
   6. Click OK
5. Delete the file
6. Re-enable the On-Access scanner

The previous registry change needs to be reverted to complete the process.

1. Edit the registry

   • Rename the following "Windows_renamed" key back to the original "Windows" value
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows NT\CurrentVersion\Windows
2. Reboot the system.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Agent.ac (Kaspersky)

• Bck/Agent.E (Panda)

• TROJ_AGENT.AC (Trend)

• Win32.Mersting.B (CA Vet)

• Win32/Agent.AC (Eset)

Characteristics

Characteristics -

This detection is for a DLL component which may be installed automatically onto the victim's machine whilst visiting a website.

The filename of the DLL varies, for example:

• COMPCKP.DLL
• CTLAPA.DLL
• CTLJOH.DLL
• D3DKHE.DLL
• HLPJP.DLL
• HLPEO.DLL
• KBDJEF.DLL
• LOG.DLL
• MS.DLL
• MSA.DLL
• WIN.DLL
• WINLG.DLL
• WDM.DLL

Registry modifications are made such that the DLL is loaded at system startup. The name of the Registry key added may vary, but it always starts with '**', followed by 1-4 random characters. For example:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
  "**xx" = RUNDLL32, %SysDir%\(DLL filename).DLL,StreamingDeviceSetup

The following Registry key modification will also present:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  "AppInit_DLLs"="%SysDir%\(DLL filename).DLL"

This key is modified like this in order to load the DLL into other processes as they are run on the system. Because of this, removal with the specified DATs requires either a restart, or the scanning/cleaning to be performed in Safe Mode.

The DLL file is not malicious by itself but it may be used by a malicious program to export system information from the victim's machine.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Stinger
The stand-alone Stinger tool can be used for detection and removal.  Removal requires a reboot.

DAT Files
Use the specified DAT files for detection.  The 4383 DAT files, and higher contain both detection and repair.  However, a reboot is required for repair to complete.

Manual Removal with DAT files
This threat has both stealth and self-preservation capabilities.  The following manual steps are required to deactivate the trojan in memory.

1. Edit the registry
   • Rename the following "Windows" key to "Windows_renamed" here:
     • Before
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows NT\CurrentVersion\Windows
     • After
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows NT\CurrentVersion\Windows_renamed
2. Reboot the system.

At this point, an On-Demand Virus Scan will detect and remove the trojan from FAT/FAT32 partitions. Manual deletion may also be accomplished if the random .DLL filename is known. 

NTFS partitions require the following additional steps

1. Note the detected filename
2. Navigate the System Directory
   1. click START, RUN, type %WinDir%\System32 and hit ENTER
3. Enable show all files
   1. click TOOLS - Folder Options, View, Show Hidden Files and Folders, click OK
4. Change the file permissions for the detected file (as noted above)
   1. Disable the On-Access scanner (right-click the Vshield icon in the task tray and choose disable)
   2. Right-click on the detected .dll file
   3. Uncheck the read-only check box
   4. Click the Security Tab
   5. Make sure Full Control is checked for all entries
   6. Click OK
5. Delete the file
6. Re-enable the On-Access scanner

The previous registry change needs to be reverted to complete the process.

1. Edit the registry

   • Rename the following "Windows_renamed" key back to the original "Windows" value
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows NT\CurrentVersion\Windows
2. Reboot the system.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A