How to Prevent and Remove the Trojan.Win32.Malagent
 

Bookmark and Share

 

1. What is the Trojan.Win32.Malagent
 

Trojan.Win32.Malagent is usually a standalone program that drops different type of standalone Malware (Trojan, Worms and Backdoor) to Windows system. Trojan.Win32.Malagent is an executable file that contains other files compressed inside its body.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Temp%\Keys.txt 16 bytes
2 %Temp%\Microsoftnet.exe 18,432 bytes
3 %Temp%\WinAV.exe
[file and pathname of the sample #1]		 186,552 bytes
  • Note:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Allocated Size
[filename of the sample #1] %System%\winnt.exe N/A
Microsoftnet.exe %Temp%\microsoftnet.exe N/A

c.  Registry Modifications

  • The newly created Registry Value is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • Windows Update = "%Temp%\WinAV.exe"

      so that WinAV.exe runs every time Windows starts

  • d. Other details

    • The following ports were open in the system:

    Port Protocol Process
    1050 TCP [file and pathname of the sample #1]
    1051 TCP Microsoftnet.exe (%Temp%\Microsoftnet.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    72.233.89.199 80
    74.125.45.109 587
    • The data identified by the following URLs was then requested from the remote web server:
      • http://whatismyip.com/automation/n09230945.asp
      • http://www.whatismyip.com/automation/n09230945.asp

     

    3. How-to's

    a. How to prevent the  Trojan.Win32.Malagent ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan.Win32.Malagent Manually?

    Step 1 : Remove the registry entries hidden by Trojan.Win32.Malagent.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    • Windows Update = "%Temp%\WinAV.exe"

    Step 2 : It is probably a way to load the "Trojan.Win32.Malagent.aa" malicious program, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.

    Step3: Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Trojan.Win32.Malagent.aa are possibly located in the following Location:
    C:\
    C:\Documents and Settings\All Users\
    C:\WINDOWS\

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•