How to Prevent and Remove the Trojan-Dropper.Win32.Agent.xzr
 

Bookmark and Share

 

1. What is the Trojan-Dropper.Win32.Agent.xzr
 

Trojan-Dropper.Win32.Agent.xzr is a Trojan infection. Different from viruses and worms, Trojan-Dropper.Win32.Agent.xzr does not replicate itself. It is usually spread over the Internet community manually beyond the premise that it is beneficial or needed. The most common installation methods for Trojan-Dropper.Win32.Agent.xzr are system exploitation or security holes, and executing unknown programs unsuspectingly. Its delivery channels include E-mail, unknown freeware and shareware, Internet Relay Chat (IRC) as well as peer-to-peer networks.
Trojan-Dropper.Win32.Agent.xzr can be used to steal passwords and other confidential data and transfer them back to third party.
 

 

2.Technical Details:

 

a. The following files were created in the system:

 

# Filename(s) File Size
1 %AppData%\Microsoft\winlog.exe
%ProgramFiles%\server.exe		 144,384 bytes
2 [file and pathname of the sample #1] 89,600 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Allocated Size
winlog.exe %AppData%\microsoft\winlog.exe 172,032 bytes

c.  Registry Modifications

  • The newly created Registry Value is:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • winlog.exe = "%AppData%\Microsoft\winlog.exe"

      so that winlog.exe runs every time Windows starts

  • d. Other details

    • The following port was open in the system:
    Port Protocol Process
    1937 TCP winlog.exe (%AppData%\Microsoft\winlog.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    67.247.34.223 3174

     

    3. How-to's

    a. How to prevent the  Trojan-Dropper.Win32.Agent.xzr ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Dropper.Win32.Agent.xzr Manually?

    Step 1 : Navigate and stop the Trojan-Dropper.Win32.Agent.xzr processes:

    winlog.exe

    Step2: Navigate and delete Trojan-Dropper.Win32.Agent.xzr files:

    %AppData%\Microsoft\winlog.exe
    %ProgramFiles%\server.exe
    [file and pathname of the sample #1]

    Step3: Navigate and remove Trojan-Dropper.Win32.Agent.xzr registry keys

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • winlog.exe = "%AppData%\Microsoft\winlog.exe"


    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•