Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
About Hackers
About Hackers

Find out more about hackers and vulnerabilities in our About Hackers and Vulnerabilities section.
About Spam
About Spam

Read about spam and spammers in our About Spam section.

 		 

  Home / Viruses / Virus Encyclopedia

Trojan-Downloader.Win32.Agent.mee

Other versions: .ac, .ahoe, .bl, .bq, .fk, .pj, .qlh, .rs, .td, .tuc, .uj, .zf

Aliases
Trojan-Downloader.Win32.Agent.mee (Kaspersky Lab) is also known as: Trojan-Downloader.Win32.Agent.mee (Kaspersky Lab),
Detection added Mar 28 2008
Description added Feb 06 2009

Technical details

This malicious program is a Trojan. It is a Windows PE EXE file. The size of infected files can range from 70KB to 260KB. It is not packed in any way. It is written in Delphi.

Installation

Once launched, the Trojan copies its body to the “intetsrv” subdirectory of the Windows directory as "lsass.exe":

%System%\inetsrv\lsass.exe

"Hidden" and "read only" attributes are ascribed to this file.

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]

"load" = "%System%\inetsrv\lsass.exe"

This ensures that the Trojan is launched before the user accesses Windows.

The Trojan also creates a unique identifier, “izokraSizokraS” to flag its presence in the system.

It creates the following registry key:

[HKLM\Software\Microsoft\Internet Explorer\inet.]
"Day" = "<date Trojan launched>"
Payload

The Trojan copies its body to all write-accessible network, logical and removable disks as shown below:

<X>:\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\lsass.exe

<x> indicates the disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

<X>:\autorun.inf

This file will launch the Trojan executable file each time the user opens an infected disk using Explorer.

"Hidden" and "read only" attributes are ascribed to all files created by the Trojan.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the following system registry key: 
    [HKLM\Software\Microsoft\Internet Explorer\inet.]
    
"Day" = "<date Trojan launched>"
  3. Delete the following registry key parameter value: 
    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    
"load" = "%System%\inetsrv\lsass.exe"
  4. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  5. Delete the following files: 
    %System%\inetsrv\lsass.exe
    
<X>:\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\lsass.exe
    
<X>:\autorun.inf
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com