Malware Trojan.Win32.Agent.hpjr – Trojan has a destructive effect on the user’s computer.
Technical details
Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE EXE-file). Has a size of 28672 bytes. The program is packed unknown packer. Unpacked size – about 120 KB. Written in C + +.
Destructive activity
The Trojan malicious payload directly in the context of its process or if the operating system under Windows Vista, inject malicious code into the process:
Explorer.exe
Trojan terminates when the primary language of the system is specified as a “Russian (ru)”.
Downloads files from the following URL address:
http:// ** fini ** .com / wawxb / tpghllpctg.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / tpghllpctg.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / ivvvz.php? adv = adv477 & id = & c = http:// ** cart **. com / wawxb / ivvvz.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / viizz.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / viizz.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / qdquhyzccu.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / qdquhyzccu.php? adv = adv477 & id = & c = http:// ** fini **. com / wawxb / ccppdtxly.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / ccppdtxly.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / vjjjnare.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / vjjjnare.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / ghuuy.php? adv = adv477 & id = & c = http:// ** cart **. com / wawxb / ghuuy.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / kllpcttkx.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / kllpcttkx.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / cmzmqqehi.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / cmzmqqehi.php? adv = adv477 & id = & c = http:// ** fini **. com / wawxb / oyllyppgu.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / oyllyppgu.php? adv = adv477 & id = & c = http:// ** fini ** .com / wawxb / gtgtxkoofg.php? adv = adv477 & id = & c = http:// ** cart ** .com / wawxb / gtgtxkoofg.php? adv = adv477 & id = & c =
where – serial number of the volume in the device “C:”, – specially modified number .
Saves downloaded files to a temporary directory of the current user with the following names and lets you run a downloaded file:
% Temp% \ sjbavb.exe% Temp% \ biekl.exe% Temp% \ brin.exe% Temp% \ tkktiws.exe% Temp% \ urhawh.exe% Temp% \ punian.exe% Temp% \ fcqjwf.exe% Temp% \ tijm.exe% Temp% \ xoih.exe% Temp% \ ofbqw.exe% Temp% \ yyfcn.exe
The Trojan sends the following URL address:
http:// ** fini ** .com / wawxb / occpgtx.php http:// ** cart ** .com / wawxb / occpgtx.php
information about which browser is installed on the system by default. The Trojan then terminates and deletes the body.
Removal
If your computer was not protected by Antivirus and is infected with this malware, then delete the following steps:
1. Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
2. Delete files:
% Temp% \ eopidvn.exe% Temp% \ kqsxukt.exe% Temp% \ eiyydlvi.exe% Temp% \ bsirncax.exe% Temp% \ udjirwcu.exe% Temp% \ ojhwlifi.exe% Temp% \ jveob.exe% Temp% \ ooflesrr.exe% Temp% \ kkqhnjp.exe% Temp% \ yxybov.exe% Temp% \ vbkxhfhv.exe
