GO TO: Summary | Removal | Technical Details
Trojan.W32/Agent.DPL totally paralyzes the victim's computer after execution by removing access to many basic functions of the Windows OS. Its motives appear to be completely malicious. It makes references to a Kenyan politician and may be a form of political mudslinging.
When the malware is active on the system, many basic functions are crippled, system tools are disabled, and there is little that can be done with the computer.However, the malware will terminate itself when a process named MsAutoPro.exe is launched.An application such as Notepad.exe can be renamed as MsAutoPro.exe. Running "notepad" with this new name will display a dialog box with the text "Illegal Application" and the malware will terminate itself.The Registry key changes will still need to be undone, but the malware will no longer close system tools and other applications.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Find the latest advice in our Community Knowledge Base.
See the user guide for your product on the Help Center.
Chat with or call an expert for help.
Submit a file or URL for further analysis.
Upon execution Trojan:W32/Agent.DPL opens the "My Documents" folder on the Windows Desktop.Agent.DPL attempts to connect to the following website:
The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka.Before Windows starts and enters the Welcome screen the following message will appear:
The malware creates the following file:
It creates the following Startup files for itself:
It copies itself into the following folders as:
The malware spreads itself by creating a file called "Autorun.inf" and a folder called "WindowXP" onto hard drive partitions, including removeable media (such as USB drives), and copies itself into the folder as "Explorer.exe". It hides the "Autorun.inf" file by changing its file attributes.
It also copies itself to every folder opened and viewed by the user. The copy uses the same name as the folder itself.It modifies the following registry keys:
The Registry modifications result in a crippled Start Menu:
It disables/hides the following System tools:
It will remove the following files if they exist:
If the malware finds that the user is trying to launch a process called "MsAutoPro.exe" or that the process is already running, the malware terminates itself by displaying a message box with the text "Illegal Application". This process name can be used to disable the malware.
It terminates following processes and prevents them to run:
It terminates all the processes that have one of the following strings:
Agent.DPL also repeatedly opens the CD/DVD-Rom drive door.The malware was written with Visual Basic.