[06-26] A little analysis on virus Trojan. DL. Agent. ALB (version 3rd)

Source: Internet
Author: User

EndurerOriginal

3Added: Kaspersky confirmed as a virus:Trojan. win32.agent. ut
2Edition supplement: Kaspersky (09:06:15) and Jiangmin kv2006 engine version: 9.02.2040 virus database Date: are not reported.

1Version

A netizen said that sometimes browsing the Web page on his computer is slow recently, and sometimes an inexplicable webpage hxxp: // www.88u.com is displayed. The logs scanned by hijackthis are sent concurrently.

The following suspicious items are found in the log:

 

 

O2-BHO: iehlprobj class-{A3803141-3CF5-4D66-B7EA-8D2674FE152C}-C:/Windows/stdie. dll

O4-hkcu/../run: [LocalSystem] C:/Windows/system/svchost.exe

 

 

After the reply, the netizen packed the two files and sent them.

The svchost.exe report isTrojan. DL. Agent. ALB

This file is written in Microsoft Visual C ++ 7.0 [debug ].

Download micpip by creating a named pipeline:

 

 

Hxxp: // www. Ad **** developer.com/filmweb/webad.asp
Hxxp: // www. Ad **** developer.com/filmweb/file.asp
Hxxp: // www. Ad **** developer.com/filmweb/file.dat
Hxxp: // www. Ad **** developer.com/filmweb/ehu.up

 

 

Create a file
1.% WINDIR %/setupsvc.txt

2.% USERPROFILE %/Local Settings/temp/run1.bat

File Content:

 

 

Rundll32 syssetup, setupinfobjectinstallaction defainstall install 128 drv1.inf

 

 

3.% USERPROFILE %/Local Settings/temp // drv1.inf

File Content:

 

 

[Version]
Signature = "$ Windows NT $"
[Defainstall install]
Delreg = MYDEL
[MYDEL]
Hkcu, software/Microsoft/Windows/CurrentVersion/policies/system, disableregistrytools

 

 

4. netinfo. xml

5.% WINDIR %/system/svchost.exe

6.% WINDIR %/system/netshell. dll

7.% WINDIR %/netshell. dll

Modify multiple key values in the Registry

The most important one is:

 

 

Software/Microsoft/Windows/CurrentVersion/policies/explorer % S. dll

 

 

To load netshell. dll.

This item is not reported in the concise log of hijackthis.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.