Home / malware Trojan:W32/Agent.DPL
First posted on 26 October 2007.
Source: SecurityHomeAliases :
Trojan:W32/Agent.DPL is also known as Agent.DPL, Worm.Win32.VB.jc, TR/Crypt.XPACK.Gen, Win32/AutoRun.BB.
Explanation :
Trojan.W32/Agent.DPL totally paralyzes the victim's computer after execution by removing access to many basic functions of the Windows OS.
Its motives appear to be completely malicious. It makes references to a Kenyan politician and may be a form of political mudslinging.
Agent.DPL attempts to connect to the following website:
- www.kalonzomusyokaforpresident.com
The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka.
Before Windows starts and enters the Welcome screen the following message will appear:
- FRANCIS KALONZO MUSYOKA-MWELEKEO MPYA
VISION:I will offer you leadership based on respect, equality accountability, and personal integrity. A new direction in the conduct of our public affairs is on the way. A complete paradigm shift
The malware creates the following file:
- C:SoftwareProtectormusyoka610_out.pr
It creates the following Startup files for itself:
- %allusersprofile%Start MenuProgramsStartupdefault.pif
- %Windir%Auto.inf
It copies itself into the following folders as:
- %allusersprofile%DocumentsMusic.exe
- %userprofile%My DocumentsMy Documents .exe
- %Windir%Fontslsass.exe
- %Windir%SoftwareDistributionDataStoreLogslsass.exe
- %Windir%System32.exe
- %windir%system32configsystemprofileMy DocumentsMy Documents .exe
- %Windir%System32DirectXDinputcsrss.exe
- c:Documents and SettingsDefault UserMy DocumentsMy Documents .exe
Spreading Vectors
The malware spreads itself by creating a file called "Autorun.inf" and a folder called "WindowXP" onto hard drive partitions, including removeable media (such as USB drives), and copies itself into the folder as "Explorer.exe". It hides the "Autorun.inf" file by changing its file attributes.
- [autorun.inf]
open=
shellopenCommand=WindowxpExplorer.exe
shellopenDefault=1
shellexploreCommand=windowxpExplorer.exe
It also copies itself to every folder opened and viewed by the user. The copy uses the same name as the folder itself.
It modifies the following registry keys:
- HKEY_CURRENT_USERControl PanelDesktop
Coolswitch = 00000000 - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Hidden = 00000000 - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
ShowSuperHidden = 00000000 - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
HideFileExt = 00000001 - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoFolderOptions = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoControlPanel = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoDrives = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoFind = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoRun = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoShellSearchButton = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoEntireNetwork = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoSecurityTab = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoSimpleStartMenu = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoResolveSearch = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoResolveTrack = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoUserNameInStartMenu = 00000001 - HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoClose = 00000001 - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldApp
Disable = 00000001 - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAeDebug
Debugger = "C:WINDOWSfontslsass.exe" - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionAeDebug
Auto = 1 - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Userinit = C:WINDOWSsystem32userinit.exe,C:WINDOWSfontslsass.exe - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoFolderOptions = 00000001 - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionpoliciessystem
kb = AUTO.TXT - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
NoControlPanel = 00000001 - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
shutdownwithoutlogon = 00000000 - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
LegalNoticeCaption = FRANCIS KALONZO MUSYOKA-MWELEKEO MPYA - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
LegalNoticeText = VISION:I will offer you leadership based on respect, equality
accountability, and personal integrity. A new direction in the conduct of our public
affairs is on the way. A complete paradigm shift - HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTSystemRestore
DisableConfig = 00000001 - HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTSystemRestore
DisableSR = 00000001 - HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstaller
LimitSystemRestoreCheckpointing = 00000001 - HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstaller
DisableMSI = 00000001 - HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
AlternateShell = C:WINDOWSSoftwareDistributionDataStoreLogslsass.exe
The Registry modifications result in a crippled Start Menu:
It disables/hides the following System tools:
- Control Panel
- Folder Options
- Shutdown from Start Menu
- Start Menu / Run
- System Clock
- Taskbar Properties
- Windows Search
It will remove the following files if they exist:
- %ProgramFilesDir%Alwil SoftwareAvast4ashAvast.exe
- %ProgramFilesDir%Alwil SoftwareAvast4ashBug.exe
- %ProgramFilesDir%Alwil SoftwareAvast4ashdisp.exe
- %ProgramFilesDir%Alwil SoftwareAvast4ashmaisv.exe
- %ProgramFilesDir%Alwil SoftwareAvast4ashserv.exe
- %ProgramFilesDir%Alwil SoftwareAvast4ashwebsv.exe
- %ProgramFilesDir%Alwil SoftwareAvast4sched.exe
- %ProgramFilesDir%Alwil SoftwareAvast4visthupd.exe
- %ProgramFilesDir%ESET
od32.exe - %ProgramFilesDir%ESET
od32krn.exe - %ProgramFilesDir%ESET
od32kui.exe - %ProgramFilesDir%GrisoftAvg freeavgcc.exe
- %ProgramFilesDir%GrisoftAvg freeavgvv.exe
- %ProgramFilesDir%GrisoftAvg freeavgw.exe
- %ProgramFilesDir%McAfee.comAgentmcagent.exe
- %ProgramFilesDir%McAfee.comVSOMcshield.exe
- %ProgramFilesDir%McAfee.comVSOMcVSEscn.exe
- %ProgramFilesDir%McAfee.comVSOMcvsftsn.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007Apvxdwin.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007apvxdwin.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007Avciman.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007Avengine.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007avengine.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007avlite.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007Avltmain.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007Avtask.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007lupgconf.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007panicsh.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007pavsrv51.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007psctrls.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007psimsvc.exe
- %ProgramFilesDir%Panda SoftwarePanda Antivirus 2007webproxy.exe
If the malware finds that the user is trying to launch a process called "MsAutoPro.exe" or that the process is already running, the malware terminates itself by displaying a message box with the text "Illegal Application". This process name can be used to disable the malware.
It terminates following processes and prevents them to run:
- Apvxdwin.exe
- Ashavast.exe
- Ashdisp.exe
- Ashmaisv.exe
- Ashserv.exe
- Ashwebsv.exe
- aswupdsv.exe
- avengine.exe
- avgcc.exe
- AVS 2007.exe
- kav6.0.2.621en.exe
- mcagent.exe
- Mcmnhdlr.exe
- mcshield.exe
- McVSEscn.exe
- McVsftsn.exe
- msiexec.exe
- nod32.exe
- nod32krn.exe
- nod32kui.exe
- pavsrv51.exe
- psctrls.exe
- psimsvc.exe
It terminates all the processes that have one of the following strings:
- ADMINI
- ANT
- AUTO
- AVAST
- AVS
- BUG
- CLEA
- COMPON
- CONFIG
- CONSOL
- DETEC
- ESSET
- KASP
- KAV
- MCAFEE
- MECHAN
- NOD32
- NORTON
- PAND
- PROC
- REG
- SCAN
- SECUR
- SUPPORT
- SYMAN
- TASK
- TRIA
- UNHO
- VIR
Agent.DPL also repeatedly opens the CD/DVD-Rom drive door.
The malware was written with Visual Basic.
Last update 26 October 2007