Trojan-Downloader.Win32.Agent.bvz

Detection added Jun 25 2007 21:02 GMT
Update released Jun 25 2007 22:35 GMT
Description added Jul 11 2007
Behavior TrojanDownloader
Technical details

This Trojan is a Windows PE EXE file. It is 41,472 bytes in size.

Installation

When installing, the Trojan copies its executable file to the Windows system directory: %System%\ntos.exe

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan adds a link to its executable file in the system registry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "userinit" = "%System%\ntos.exe"

Payload

The Trojan tracks user activity in Internet Explorer.

If https://onlineeast.bankofamerica.com is opened/ used, the Trojan will periodically take screenshots of the user's desktop and upload them to the remote malicious user's FTP server.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following parameter from the system registry (see What is a system registry and how do I use it for details on how to edit the registry): [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "userinit" = "%System%\ntos.exe"
  4. Delete the following file: %System%\ntos.exe
  5. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).

 
HOME