Skip to content

Threat Encyclopedia
Export page to PDF
TROJ_DROPPER.ADO
Aliases: Trojan horse Dropper.Agent.AENC (AVG); Trojan-Dropper.Win32.Agent (GFI-Sunbelt)
Malware type: Trojan
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
Encrypted: No
In the wild: Yes

Overview


This Trojan drops files detected as BKDR_COSMU.KO. It modifies registry entry(ies) as part of its installation routine.

It then installs the dropped DLL component as service by creating registry entries.

This Trojan may be dropped by other malware.

Technical Details


File size: 17,636 bytes
File type: PE
File Compression: UPX
Memory resident: Yes
Initial samples received date: 14 Mar 2011
Payload: Drops files

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_ADOBFP.B

Installation

This Trojan drops the following files:

  • %System%\xmlprovsvc.dll - detected by Trend Micro as BKDR_COSMU.KO

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This Trojan modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xmlprov\Parameters
ServiceDll = "%System%\xmlprovsvc.dll"

(Note: The default value data of the said registry entry is %system%\xmlprov.dll.)

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
ImagePath = "%System Root%\System32\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel\Parameters
ServiceDll = "%System%\xmlprovsvc.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
DependOnService = "RpcSs"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
Description = "Manages XML configuration files on a domain basis for automatic network provisioning."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
DisplayName = "Network Provisioning Service"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
Start = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WinKernel
Type = "20"

It creates the following service using its DLL component:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_XMLPROV\
0000
Service = "xmlprov"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xmlprov\Enum
0 = "Root\LEGACY_XMLPROV\0000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_XMLPROV\
0000
Legacy = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_XMLPROV\
0000
ConfigFlags = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_XMLPROV\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_XMLPROV\
0000
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xmlprov\Enum
Count = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xmlprov\Enum
NextInstance = "1"

Solution


Minimum scan engine: 8.900
VSAPI OPR Pattern Version: 7.903.00
VSAPI OPR Pattern Release Date: 15 Mar 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove the malware/grayware file that dropped/downloaded TROJ_DROPPER.ADO

Step 3

Remove malware files dropped/downloaded by TROJ_DROPPER.ADO

Step 4

Identify and terminate files detected as TROJ_DROPPER.ADO

[ Learn more ]
  1. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  2. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 5

Delete this registry value

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000
    • Service = "xmlprov"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000
    • Legacy = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000
    • ConfigFlags = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000
    • Class = "LegacyDriver"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Enum
    • 0 = "Root\LEGACY_XMLPROV\0000"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Enum
    • Count = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Enum
    • NextInstance = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • DependOnService = "RpcSs"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • Description = "Manages XML configuration files on a domain basis for automatic network provisioning."
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • DisplayName = "Network Provisioning Service"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • ImagePath = "%System Root%\System32\svchost.exe -k netsvcs"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WinKernel
    • Type = "20"

Step 6

Restore this modified registry value

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters
    • From: ServiceDll = "%System%\xmlprovsvc.dll"
      To: ServiceDll = "%System%\xmlprov.dll"

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_DROPPER.ADO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.
Analysis By: Erika Bianca Mendoza

Connect with us on