How to Prevent and Remove the Trojan-Downloader.Win32.Agent.eyhw

Bookmark and Share

 

1. What is the Trojan-Downloader.Win32.Agent.eyhw

The Trojan Downloader Win32 Agent is a member of the Trojan family of malware infections. Most Trojans disguise themselves as legitimate programs on a computer while secretly carrying out a harmful process. In this case, the Win32 Agent variant displays fake alerts and pop-ups about supposed infections on your computer. While the Trojan Downloader Win32 infection is not the most serious of virus infections, it should be removed immediately as it may leave your computer vulnerable to subsequent malware infections. Most users with basic knowledge of the Windows operating system and utilities can remove the Trojan in a few steps.

Alias: Trojan-Downloader.Win32.VB [Ikarus]  

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %AppData%\Firewall.exe
%System%\Firewalsl.exe		 4,512,256 bytes
2 %Windir%\Driver_Cache 470 bytes
3 %System%\drivers\regtoro.sys 10,368 bytes
4 %System%\reinicia.bat 195 bytes
5 [file and pathname of the sample #1] 40,960 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

  • There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 90,112 bytes

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007\Security
      • HKEY_CURRENT_USER\Firewall.exe
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • (Default) = "%AppData%\Firewall.exe"

        so that Firewall.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007\0000]
        • Service = "bord_007"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "reg_0014"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007]
        • Type = 0x00000001
        • Start = 0x00000001
        • ErrorControl = 0x00000001
        • ImagePath = "%System%\Drivers\regtoro.sys"
        • DisplayName = "reg_0014"

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    200.196.152.40 80
    66.232.126.90 80
    93.104.215.170 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://www.itau.com.br/
      • http://periodismosinafan.com/site/thumbr.jpg
      • http://www.srmvx.com.br/uploads/envia.php

     

    3. How-to's

    a. How to prevent the  Trojan-Downloader.Win32.Agent.eyhw ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Downloader.Win32.Agent.eyhw Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan-Downloader.Win32.Agent.eyhw Processes

    %AppData%\Firewall.exe

    Step 2 : Use Registry Editor to Remove Trojan-Downloader.Win32.Agent.eyhw Registry Values
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007\Security
    HKEY_CURRENT_USER\Firewall.exe
    The newly created Registry Values are:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    (Default) = "%AppData%\Firewall.exe"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007\0000]
    Service = "bord_007"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "reg_0014"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BORD_007]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bord_007]
    Type = 0x00000001
    Start = 0x00000001
    ErrorControl = 0x00000001
    ImagePath = "%System%\Drivers\regtoro.sys"
    DisplayName = "reg_0014"

    Step3: Detect and Delete Other Trojan-Downloader.Win32.Agent.eyhw Files

    %AppData%\Firewall.exe
    %System%\Firewalsl.exe
    %Windir%\Driver_Cache
    %System%\drivers\regtoro.sys
    %System%\reinicia.bat
    [file and pathname of the sample #1]

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•