How to Prevent and Remove the Trojan-Dropper.Agent

Bookmark and Share

 

1. What is the Trojan-Dropper.Agent

Trojan.Dropper.Agent is a serious Trojan downloader infection. Trojan.Dropper.Agent is known to download or even install other malicious files and programs onto an infected computer. Trojan.Dropper.Agent does this without letting the computer user know what is happening. You may notice slower computer performance and decreased network speed if you have the Trojan.Dropper.Agent Trojan horse infection. Trojan.Dropper.Agent is a serious threat to the security, personal and financial data stored on your computer. It is recommended that you detect and remove Trojan.Dropper.Agent with a good spyware scan tool.

Alias: Trojan.Gen [Symantec],Dropper/Malware.595968.O [AhnLab] 

 

2.Technical Details:

 

a. The following files were created in the system:

  • The following files were created in the system:

# Filename(s) File Size
1 c:\cleanup.exe 19,286 bytes
2 %AppData%\wap.exe
c:\formularo.exe 		4,920,832 bytes
3 c:\kill.txt 220 bytes
4 c:\TITI.EXE 731,136 bytes
5 %Windir%\ERRO 463 bytes
6 %System%\drivers\trs.sys 8,320 bytes
7 %System%\drivers\ugntp.sys 61,440 bytes
8 %System%\mdxkrx.txt 432 bytes
9 [file and pathname of the sample #1] 595,968 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

 

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
formularo.exe c:\formularo.exe 4,947,968 bytes
wap.exe %AppData%\wap.exe 4,947,968 bytes
TITI.EXE c:\titi.exe 2,834,432 bytes
[filename of the sample #1] [file and pathname of the sample #1] 618,496 bytes

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Enum
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\teim
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Enum
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\teim
      • HKEY_CURRENT_USER\EnableLUA
      • HKEY_CURRENT_USER\wap
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • (Default) = "%AppData%\wap.exe"

        so that wap.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
        • Cleanup = "C:\cleanup.exe"

        so that cleanup.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000\Control]
        • *NewlyCreated* = 0x00000000
        • ActiveService = "pelodlo"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000]
        • Service = "pelodlo"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "putit"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Enum]
        • Count = 0x00000001
        • NextInstance = 0x00000001
        • INITSTARTFAILED = 0x00000001
        • 0 = "Root\LEGACY_PELODLO\0000"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo]
        • Type = 0x00000001
        • Start = 0x00000001
        • ErrorControl = 0x00000001
        • ImagePath = "%System%\Drivers\trs.sys"
        • DisplayName = "putit"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\teim]
        • ImagePath = "%System%\Drivers\ugntp.sys"
        • Start = 0x00000000
        • Type = 0x00000001
        • ErrorControl = 0x00000001
        • ntnhcy = "%System%\mdxkrx.txt"
        • dhhxl = "C:\WINDOWS"
        • wktozvym = 0x000042AF
        • Group = "rjux"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Control]
        • *NewlyCreated* = 0x00000000
        • ActiveService = "pelodlo"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000]
        • Service = "pelodlo"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "putit"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Enum]
        • Count = 0x00000001
        • NextInstance = 0x00000001
        • INITSTARTFAILED = 0x00000001
        • 0 = "Root\LEGACY_PELODLO\0000"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo]
        • Type = 0x00000001
        • Start = 0x00000001
        • ErrorControl = 0x00000001
        • ImagePath = "%System%\Drivers\trs.sys"
        • DisplayName = "putit"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\teim]
        • ImagePath = "%System%\Drivers\ugntp.sys"
        • Start = 0x00000000
        • Type = 0x00000001
        • ErrorControl = 0x00000001
        • ntnhcy = "%System%\mdxkrx.txt"
        • dhhxl = "C:\WINDOWS"
        • wktozvym = 0x000042AF
        • Group = "rjux"
      • [HKEY_CURRENT_USER\EnableLUA]
        • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System = 0x00000000
    • The following Registry Values were modified:
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]
        • List =
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]
        • List =

  • d. Other details

    • The following port was open in the system:

    Port Protocol Process
    1055 TCP formularo.exe (c:\formularo.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    213.186.33.19 80
    77.243.225.60 80

    • The data identified by the following URLs was then requested from the remote web server:

      • http://www.jeremie.tv/demo/dpoker/images/formularo.exe
      • http://www.olvpls.be/images/edit_32_3.php

     

    3. How-to's

    a. How to prevent the  Trojan-Dropper.Agent ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Dropper.Agent Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan-Dropper.Agent Processes

    c:\formularo.exe
    %AppData%\wap.exe
    c:\titi.exe
     

    Step 2 : Use Registry Editor to Remove Trojan-Dropper.Agent Registry Values

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Security
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\teim
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\teim
    HKEY_CURRENT_USER\EnableLUA
    HKEY_CURRENT_USER\wap

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    (Default) = "%AppData%\wap.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    Cleanup = "C:\cleanup.exe"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000\Control]
    *NewlyCreated* = 0x00000000
    ActiveService = "pelodlo"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO\0000]
    Service = "pelodlo"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "putit"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PELODLO]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Enum]
    Count = 0x00000001
    NextInstance = 0x00000001
    INITSTARTFAILED = 0x00000001
    0 = "Root\LEGACY_PELODLO\0000"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pelodlo]
    Type = 0x00000001
    Start = 0x00000001
    ErrorControl = 0x00000001
    ImagePath = "%System%\Drivers\trs.sys"
    DisplayName = "putit"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\teim]
    ImagePath = "%System%\Drivers\ugntp.sys"
    Start = 0x00000000
    Type = 0x00000001
    ErrorControl = 0x00000001
    ntnhcy = "%System%\mdxkrx.txt"
    dhhxl = "C:\WINDOWS"
    wktozvym = 0x000042AF
    Group = "rjux"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Control]
    *NewlyCreated* = 0x00000000
    ActiveService = "pelodlo"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000]
    Service = "pelodlo"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "putit"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PELODLO]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Enum]
    Count = 0x00000001
    NextInstance = 0x00000001
    INITSTARTFAILED = 0x00000001
    0 = "Root\LEGACY_PELODLO\0000"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pelodlo]
    Type = 0x00000001
    Start = 0x00000001
    ErrorControl = 0x00000001
    ImagePath = "%System%\Drivers\trs.sys"
    DisplayName = "putit"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\teim]
    ImagePath = "%System%\Drivers\ugntp.sys"
    Start = 0x00000000
    Type = 0x00000001
    ErrorControl = 0x00000001
    ntnhcy = "%System%\mdxkrx.txt"
    dhhxl = "C:\WINDOWS"
    wktozvym = 0x000042AF
    Group = "rjux"
    [HKEY_CURRENT_USER\EnableLUA]
    SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System = 0x00000000
     

    Step3: Detect and Delete Other Trojan-Dropper.Agent Files

    c:\cleanup.exe
    %AppData%\wap.exe
    c:\formularo.exe
    c:\kill.txt
    c:\TITI.EXE
    %Windir%\ERRO
    %System%\drivers\trs.sys
    %System%\drivers\ugntp.sys
    %System%\mdxkrx.txt
    [file and pathname of the sample #1]
     

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•