Malware Trojan.Win32.Agent.hpjr

Posted: August 29, 2012 in Encyclopedia viruses
Tags:

Malware Trojan.Win32.Agent.hpjr – Trojan has a destructive effect on the user’s computer.

Technical details

Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE EXE-file). Has a size of 28672 bytes. The program is packed unknown packer. Unpacked size – about 120 KB. Written in C + +.

Destructive activity

The Trojan malicious payload directly in the context of its process or if the operating system under Windows Vista, inject malicious code into the process:

Explorer.exe

Trojan terminates when the primary language of the system is specified as a “Russian (ru)”.

Downloads files from the following URL address:

http:// ** fini ** .com / wawxb / tpghllpctg.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / tpghllpctg.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / ivvvz.php? adv = adv477 & id = & c = http:// ** cart **. com / wawxb / ivvvz.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / viizz.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / viizz.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / qdquhyzccu.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / qdquhyzccu.php? adv = adv477 & id = & c = http:// ** fini **. com / wawxb / ccppdtxly.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / ccppdtxly.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / vjjjnare.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / vjjjnare.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / ghuuy.php? adv = adv477 & id = & c = http:// ** cart **. com / wawxb / ghuuy.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / kllpcttkx.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / kllpcttkx.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / cmzmqqehi.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / cmzmqqehi.php? adv = adv477 & id = & c = http:// ** fini **. com / wawxb / oyllyppgu.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / oyllyppgu.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / gtgtxkoofg.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / gtgtxkoofg.php? adv = adv477 & id = & c =
where – serial number of the volume in the device “C:”, – specially modified number .

Saves downloaded files to a temporary directory of the current user with the following names and lets you run a downloaded file:

% Temp% \ sjbavb.exe% Temp% \ biekl.exe% Temp% \ brin.exe% Temp% \ tkktiws.exe% Temp% \ urhawh.exe% Temp% \ punian.exe% Temp% \ fcqjwf.exe% Temp% \ tijm.exe% Temp% \ xoih.exe% Temp% \ ofbqw.exe% Temp% \ yyfcn.exe

The Trojan sends the following URL address:

http:// ** fini ** .com / wawxb / occpgtx.php http:// ** cart ** .com / wawxb / occpgtx.php

information about which browser is installed on the system by default. The Trojan then terminates and deletes the body.

Removal

If your computer was not protected by Antivirus and is infected with this malware, then delete the following steps:

1. Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).

2. Delete files:

% Temp% \ eopidvn.exe% Temp% \ kqsxukt.exe% Temp% \ eiyydlvi.exe% Temp% \ bsirncax.exe% Temp% \ udjirwcu.exe% Temp% \ ojhwlifi.exe% Temp% \ jveob.exe% Temp% \ ooflesrr.exe% Temp% \ kkqhnjp.exe% Temp% \ yxybov.exe% Temp% \ vbkxhfhv.exe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s