Troj/Agent-OVJ is the final component of a multi-component malware attack that initiates with a corrupted HLP file that is actually designed to install a dangerous executable on the victim’s computer. HLP files are Windows Help files and are traditionally regarded to be safe. However, criminals can use these kinds of files to drop malware on a computer. An example of this was first detected in August of 2012. This attack involves a malicious HLP file aimed at Italian-speaking victims. Named Amministrazione.hlp (which is the Italian word for ‘Administration’), this malware infection uses a social engineering approach in order to convince computer users to run it and initiate the process that ends with the installation of the Troj/Agent-OVJ Trojan.
Once this corrupted Windows Help file is opened, it will force the affected computer to show an error message. This message contains the following text:
Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)
This error message is there to mislead the victim, distracting their attention while an executable file is dropped in the background. This malicious executable file, named Windows Security Center.exe is designed to install Troj/Agent-OVJ on the victim’s computer. Troj/Agent-OVJ is a component of the infamous DarkShell Trojan. Troj/Agent-OVJ in particular takes the form of a malicious DLL file which contains a highly-effective keylogger component. Once installed, Troj/Agent-OVJ keeps track of all activity on the infected computer, storing all keystrokes in a file and isolating sensitive data such as email passwords and online banking credentials.
The Consequences of a Troj/Agent-OVJ Attack
The main goal of Troj/Agent-OVJ is to log all keystrokes on the infected computer’s keyboard and stores this information on a file named UserData.dat. At set intervals, Troj/Agent-OVJ will attempt to transmit this information to a third party, uploading it to the domain images.zyns.com. Malware researchers have associated with domain with various dangerous malware attacks. To avoid Troj/Agent-OVJ infections, ESG security researchers strongly advise computer users to exercise care when handling HLP files. Despite of the fact that this extension is associated with Windows Help files, not all HLP files are safe for your machine. If, by any chance, you have been exposed to Troj/Agent-OVJ, ESG security researchers advise restarting your PC in Safe Mode and utilizing a trustworthy anti-malware program to scan your hard drives for possible malware threats.
How Can You Detect Troj/Agent-OVJ?
Troj/Agent-OVJ Technical Report
As new Troj/Agent-OVJ details are reported by our customers and findings from our Threat Research Center, we will update this section.
URLs, domains, and websites related or accessed by Troj/Agent-OVJ (do not visit them):
Troj/Agent-OVJ Removal Details
Troj/Agent-OVJ has typically the following processes in memory:
Troj/Agent-OVJ creates the following files in the system:
- \Documents and Settings\username\Local Settings\Application Data\UserData.dat