Trojan Horse PSW.Agent.ABKU

22 July 2009 Trojan 0 Comment

Trojan Horse PSW.Agent.ABKU is a generic detection for a variant of Trojan that can steal sensitive information from infected computers. It may also block some antivirus programs from running by disabling its process. Trojan Horse PSW.Agent.ABKU will also try to connect to a remote server and download additional threats.

Alias: New Malware.aj (McAfee), Trojan Horse (Symantec), TROJ_QQPASS.P (Trend Micro), Mal/Behav-009 (Sophos), Trojan.Zlob (Ikarus)

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
Upon execution of Trojan Horse PSW.Agent.ABKU, it will drop file under Temp directory of Windows. Registry keys are also added to the compromised computer that is essential to perform its tasks.

The Trojan is also found to have other harmful characteristics like the following:

• It may connect to an Internet and request for additional malware files.
• Author of this Trojan utilized a packer that is not typically used for legitimate software.
• The Trojan may terminate any instance of security software services.
• It contains other characteristics and identified security risks.

Distribution
Trojan Horse PSW.Agent.ABKU basically spread through file-sharing networks. In most occasions, a Trojan developer embeds its malicious code onto legitimate executable files that are made available online through file-sharing servers. Using an encryption method not commonly used for commercial product, it often conceals itself from antivirus application.

Added Registry Entries:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KISSTUSB
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KISSTUSB\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KISSTUSB\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KISSTUSB
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KISSTUSB\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KISSTUSB\0000\Control

Associated Files and Folders:

%Temp%\3a232d.dll

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan Horse PSW.Agent.ABKU, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with Norton Power Eraser:

Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Trojan Horse PSW.Agent.ABKU. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.

Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.