A trojan program. It is a Windows application (PE-EXE file). 742912 bytes. Packed by an unknown packer. Unpacked size – around 788 kB. Written in Delphi.
When launching, the trojan copies its executable file under the following name:
Where <Original_Filename> is the original name of the trojan file.
So that it may be automatically launched each time the system is started, the trojan adds a link to its executable file in the system registry startup key:
The trojan also periodically checks for this registry key and restores it if it has been deleted.
The trojan deletes the following registry branch and all of the keys within it. This means that the OS cannot be loaded in “Safe mode”:[HKLMSystemControlSet001ControlSafeBoot] The trojan retrieves two files from its body and saves these under the following names before launching them:
This file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Agent2.cosd.
This file is 69632 bytes and is detected by Kaspersky Antivirus as Trojan.Win32.Pasmu.gv. When launched, this trojan program steals the logins, passwords, and other access data to various services from the following programs:
This trojan program also steals data from the following files:
The trojan may transfer the collected data to the attacker through HTTP-requests to the following resource:
The trojan carries out network communication with the following hosts:
The trojan may also download files from the following links:
These links did not work when creating the description.
If your computer has not been protected by antivirus software and is infected by a trojan program, you need to use Kaspersky Antivirus to delete it: run a full scan of the computer with Kaspersky Antivirus with updated antivirus databases (download trial version).
- Malicious programs
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.