TROJ_AGENT.AUHK
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan arrives as a file that exports the functions of other malware/grayware. It may arrive bundled with malware packages as a malware component. It may be dropped by other malware.
It creates an event.
TECHNICAL DETAILS
110,592 bytes
DLL
Yes
09 Dec 2010
Connects to URLs/Ips, Steals information
Arrival Details
This Trojan arrives as a file that exports the functions of other malware/grayware.
It may arrive bundled with malware packages as a malware component.
It may be dropped by other malware.
Backdoor Routine
As of this writing, the said sites are inaccessible.
Other Details
This Trojan connects to the following possibly malicious URL:
- nsser.{BLOCKED}supdata.com
- nslsa.{BLOCKED}pdata.com
- nsservic.{BLOCKED}update.hk
It creates the following event(s):
- MYGAMEHAVESTARTED
NOTES:
Based on analysis of the codes, it has the following capabilities:
- Gathers the following:
- Windows Version Information
- CPU Type
- System Time
- Account Information
- Disk Information
- Internet Information
- Protocol Information
- NETBIOS Information
- Installed Appilcations
- IE Version Information
- IE BHO Information
SOLUTION
8.900
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Scan your computer with your Trend Micro product and note files detected as TROJ_AGENT.AUHK
Step 3
Restart in Safe Mode
Step 4
Search and delete the file detected as TROJ_AGENT.AUHK
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_AGENT.AUHK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.