Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan:W32/Agent.DPL


Discovered:
Aliases:


October 24, 2007
Trojan:W32/Agent.DPL

Malware
Trojan, Worm
W32

Summary

Trojan.W32/Agent.DPL totally paralyzes the victim's computer after execution by removing access to many basic functions of the Windows OS. Its motives appear to be completely malicious. It makes references to a Kenyan politician and may be a form of political mudslinging.



Disinfection & Removal

When the malware is active on the system, many basic functions are crippled, system tools are disabled, and there is little that can be done with the computer.However, the malware will terminate itself when a process named MsAutoPro.exe is launched.An application such as Notepad.exe can be renamed as MsAutoPro.exe. Running "notepad" with this new name will display a dialog box with the text "Illegal Application" and the malware will terminate itself.The Registry key changes will still need to be undone, but the malware will no longer close system tools and other applications.



Technical Details

Upon execution Trojan:W32/Agent.DPL opens the "My Documents" folder on the Windows Desktop.Agent.DPL attempts to connect to the following website:

  • www.kalonzomusyokaforpresident.com

The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka.Before Windows starts and enters the Welcome screen the following message will appear:

  • FRANCIS KALONZO MUSYOKA-MWELEKEO MPYAVISION:I will offer you leadership based on respect, equality accountability, and personal integrity. A new direction in the conduct of our public affairs is on the way. A complete paradigm shift

The malware creates the following file:

  • C:\SoftwareProtector\musyoka610_out.pr

It creates the following Startup files for itself:

  • %allusersprofile%\Start Menu\Programs\Startup\default.pif
  • %Windir%\Auto.inf

It copies itself into the following folders as:

  • %allusersprofile%\Documents\Music.exe
  • %userprofile%\My Documents\My Documents .exe
  • %Windir%\Fonts\lsass.exe
  • %Windir%\SoftwareDistribution\DataStore\Logs\lsass.exe
  • %Windir%\System32.exe
  • %windir%\system32\config\systemprofile\My Documents\My Documents .exe
  • %Windir%\System32\DirectX\Dinput\csrss.exe
  • c:\Documents and Settings\Default User\My Documents\My Documents .exe

Spreading Vectors

The malware spreads itself by creating a file called "Autorun.inf" and a folder called "WindowXP" onto hard drive partitions, including removeable media (such as USB drives), and copies itself into the folder as "Explorer.exe". It hides the "Autorun.inf" file by changing its file attributes.

  • [autorun.inf]open=shell\open\Command=Windowxp\Explorer.exeshell\open\Default=1shell\explore\Command=windowxp\Explorer.exe

It also copies itself to every folder opened and viewed by the user. The copy uses the same name as the folder itself.It modifies the following registry keys:

  • HKEY_CURRENT_USER\Control Panel\DesktopCoolswitch = 00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButton = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEntireNetwork = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoResolveSearch = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoResolveTrack = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = 00000001
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = 00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldAppDisable = 00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugDebugger = "C:\WINDOWS\fonts\lsass.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebugAuto = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonUserinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\fonts\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = 00000001
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\kb = AUTO.TXT
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = 00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemshutdownwithoutlogon = 00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemLegalNoticeCaption = FRANCIS KALONZO MUSYOKA-MWELEKEO MPYA
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemLegalNoticeText = VISION:I will offer you leadership based on respect, equalityaccountability, and personal integrity. A new direction in the conduct of our publicaffairs is on the way. A complete paradigm shift
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestoreDisableConfig = 00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestoreDisableSR = 00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\InstallerLimitSystemRestoreCheckpointing = 00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\InstallerDisableMSI = 00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell = C:\WINDOWS\SoftwareDistribution\DataStore\Logs\lsass.exe

The Registry modifications result in a crippled Start Menu:

It disables/hides the following System tools:

  • Control Panel
  • Folder Options
  • Shutdown from Start Menu
  • Start Menu / Run
  • System Clock
  • Taskbar Properties
  • Windows Search

It will remove the following files if they exist:

  • %ProgramFilesDir%\Alwil Software\Avast4\ashAvast.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\ashBug.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\ashdisp.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\ashmaisv.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\ashserv.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\ashwebsv.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\sched.exe
  • %ProgramFilesDir%\Alwil Software\Avast4\visthupd.exe
  • %ProgramFilesDir%\ESET\nod32.exe
  • %ProgramFilesDir%\ESET\nod32krn.exe
  • %ProgramFilesDir%\ESET\nod32kui.exe
  • %ProgramFilesDir%\Grisoft\Avg free\avgcc.exe
  • %ProgramFilesDir%\Grisoft\Avg free\avgvv.exe
  • %ProgramFilesDir%\Grisoft\Avg free\avgw.exe
  • %ProgramFilesDir%\McAfee.com\Agent\mcagent.exe
  • %ProgramFilesDir%\McAfee.com\VSO\Mcshield.exe
  • %ProgramFilesDir%\McAfee.com\VSO\McVSEscn.exe
  • %ProgramFilesDir%\McAfee.com\VSO\Mcvsftsn.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\Apvxdwin.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\apvxdwin.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\Avciman.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\Avengine.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\avengine.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\avlite.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\Avltmain.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\Avtask.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\lupgconf.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\panicsh.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\pavsrv51.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\psctrls.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\psimsvc.exe
  • %ProgramFilesDir%\Panda Software\Panda Antivirus 2007\webproxy.exe

If the malware finds that the user is trying to launch a process called "MsAutoPro.exe" or that the process is already running, the malware terminates itself by displaying a message box with the text "Illegal Application". This process name can be used to disable the malware.

It terminates following processes and prevents them to run:

  • Apvxdwin.exe
  • Ashavast.exe
  • Ashdisp.exe
  • Ashmaisv.exe
  • Ashserv.exe
  • Ashwebsv.exe
  • aswupdsv.exe
  • avengine.exe
  • avgcc.exe
  • AVS 2007.exe
  • kav6.0.2.621en.exe
  • mcagent.exe
  • Mcmnhdlr.exe
  • mcshield.exe
  • McVSEscn.exe
  • McVsftsn.exe
  • msiexec.exe
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • pavsrv51.exe
  • psctrls.exe
  • psimsvc.exe

It terminates all the processes that have one of the following strings:

  • ADMINI
  • ANT
  • AUTO
  • AVAST
  • AVS
  • BUG
  • CLEA
  • COMPON
  • CONFIG
  • CONSOL
  • DETEC
  • ESSET
  • KASP
  • KAV
  • MCAFEE
  • MECHAN
  • NOD32
  • NORTON
  • PAND
  • PROC
  • REG
  • SCAN
  • SECUR
  • SUPPORT
  • SYMAN
  • TASK
  • TRIA
  • UNHO
  • VIR

Agent.DPL also repeatedly opens the CD/DVD-Rom drive door.The malware was written with Visual Basic.



Detection



Detection Type: PC
Database: 2007-10-24_06





Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.