The Trojan.Win32.Agent.azsy program is one of the newer variants of the Trojan.Win32.Agent malware group. It penetrates systems through flaws in firewalls and small security vulnerabilities. Some anti-virus software may flag Trojan.win32.agent.azsy as Trojan-Downloader.Win32.Agent.aoth, which is essentially the same program.
When it gets in, this Trojan starts issuing fake pop-up alerts and system scanners, telling users they have multiple security issues that need to be handled by Personal Antivirus. It tries to scare people into buying and installing a licensed version of Personal Antivirus, which is a rogue anti-spyware program.
In addition to this, this Trojan exposes infected systems to other threats by illicitly creating connections that allow the affected computer to be accessed remotely. Both Trojan.win32.agent.azsy and its affiliated rogue anti-spyware Personal Antivirus are highly-dangerous malware programs that should be removed immediately upon detection. If not removed, these applications may cause your system to freeze and crash, violate your privacy and possibly cause your internet connection quality to deteriorate.
Details:
The actual file is a Windows PE EXE file with a size of 417792 bytes, written in C++, and packed using UPX. The unpacked file is around 439KB in size.
Installation:
Once launched, the Trojan copies its body to the current user’s Windows startup directory:
%Documents and Settings%\<user_name>\Main Menu\Programs\Startup\uninstall.exe
This Trojan delivers its payload when the infected computer is rebooted. After startup, it extracts a file from itself with one of the following names:
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
The Trojan ensures that it is launched automatically every time the system is rebooted by modifying the system registry and creating a link to the file it extracted from its body:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"
<rnd1> is a random name chosen from the list below:
EventLog
CrashDump
Init
lsass
RunDll
Regscan
Setup
svchosts
Sound
System
UPNP
TaskMon
Windows
<rnd> is the path to the file extracted from the Trojan shown in the list above.
Upon delivering its payload, the Trojan will erase itself by deleting both its body and its copy:
"%Documents and Settings%\\Main Menu\Programs\Startup\uninstall.exe".
Trojan.32.Agent Manual Removal
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Open the Task Manager [Ctrl+Alt+Del] and click the Processes tab. Select the malware application’s name (check the .exe list above) and click “End Process” to stop it from running.
2. Delete this system registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd1>" = "<rnd2>"
3. Erase the original Trojan file. Its exact location depends on how the program originally entered the infected system.
4. Delete these files:
%Documents and Settings%\<user_name>\Application Data\svchosts.exe
%Documents and Settings%\<user_name>\Application Data\taskmon.exe
%Documents and Settings%\<user_name>\Application Data\rundll.exe
%Documents and Settings%\<user_name>\Application Data\service.exe
%Documents and Settings%\<user_name>\Application Data\sound.exe
%Documents and Settings%\<user_name>\Application Data\upnpsvc.exe
%Documents and Settings%\<user_name>\Application Data\lsas.exe
%Documents and Settings%\<user_name>\Application Data\logon.exe
%Documents and Settings%\<user_name>\Application Data\helper.exe
%Documents and Settings%\<user_name>\Application Data\event.exe
%Documents and Settings%\<user_name>\Application Data\dumpreport.exe
%Documents and Settings%\<user_name>\Application Data\msiexeca.exe
5. Delete all files from the Temporary Internet Files folder.
6. If you don’t have anti-virus program yet, download or buy one and update its virus databases. Do a full scan of the computer.