How to Prevent and Remove the Trojan-Downloader.Win32.Agent.flnw

Bookmark and Share

 

1. What is the Trojan-Downloader.Win32.Agent.flnw

Trojan-Downloader.Win32.Agent.flnw may attempt to establish connection with the remote host once enter a system. Trojan-Downloader.Win32.Agent.flnw virus will usually hide itself in the deepest part of the computer, which can not be found easily. Even if you have removed it from the machine, it is still necessary for you to modify some registry entries that have been reset by Win32 Trojan-Gen virus. Trojan-Downloader.Win32.Agent.flnw opens up firewalls and collects confidential information such as personal financial information.Trojan-Downloader.Win32.Agent.flnwalso downloads additional components before the hackers get the remote access to the infected PC.


Alias: Trojan.Gen.2 [Symantec], Mal/Emogen-O [Sophos] 

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %System%\autochkju.exe 57,344 bytes
2 %System%\autofmtpl.exe 49,152 bytes
3 %System%\autoplayfi.exe 118,784 bytes
4 [file and pathname of the sample #1] 24,576 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
autofmtpl.exe %System%\autofmtpl.exe 49,152 bytes
autoplayfi.exe %System%\autoplayfi.exe 118,784 bytes
autochkju.exe %System%\autochkju.exe 86,016 bytes
[filename of the sample #1] [file and pathname of the sample #1] 24,576 bytes

c.  Registry Modifications

  • The following Registry Value was modified:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
    • HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData

  • The newly created Registry Values are:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • autoplayfi = "%System%\autoplayfi.exe"
      • autochkju = "%System%\autochkju.exe"

      so that autoplayfi.exe runs every time Windows starts
      so that autochkju.exe runs every time Windows starts
       
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]
      • 187.45.196.22 = "-687210486:tcp:187.45.196.22,1433"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
      • NetworkAddress = C0 3E 83 A4 70 51
      • NetworkAddressLocal = 0x00000001
    • [HKEY_CURRENT_USER]
      • http = 0x00000002
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • autochkju = "%System%\autochkju.exe"

      so that autochkju.exe runs every time Windows starts

d. Other details

  • The following ports were open in the system:

Port Protocol Process
1055 TCP icondrv.exe (%System%\icondrv.exe)

  • There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host Port Number
187.45.196.22 1433
213.186.33.16 80

  • The data identified by the following URLs was then requested from the remote web server:

    • http://www.ifcil.fr/dif/images/autoplayfi.jpg
    • http://www.ifcil.fr/dif/images/autochkju.jpg

 

3. How-to's

a. How to prevent the  Trojan-Downloader.Win32.Agent.flnw ?

Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan-Downloader.Win32.Agent.flnw Manually?

Step 1 : Use Windows Task Manager to Remove Trojan-Downloader.Win32.Agent.flnw Processes

%System%\autofmtpl.exe
%System%\autoplayfi.exe
%System%\autochkju.exe
[file and pathname of the sample #1]
 

Step 2 : Use Registry Editor to Remove Trojan-Downloader.Win32.Agent.flnw Registry Values

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
autoplayfi = "%System%\autoplayfi.exe"
autochkju = "%System%\autochkju.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\LastConnect]
187.45.196.22 = "-687210486:tcp:187.45.196.22,1433"
[HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
NetworkAddress = C0 3E 83 A4 70 51
NetworkAddressLocal = 0x00000001
[HKEY_CURRENT_USER]
http = 0x00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
autochkju = "%System%\autochkju.exe"
 

Step3: Detect and Delete Other Trojan-Downloader.Win32.Agent.flnw Files

%System%\autochkju.exe
%System%\autofmtpl.exe
%System%\autoplayfi.exe
[file and pathname of the sample #1]
 

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

4. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm