Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

JS/Agent.QLN

Aliases:Trojan.Script.298561 (F-Secure), JS:XmlPack-Q (Avast), Trojan.Script.298561 (BitDefender) 
Type of infiltration:Trojan  
Size:160907 B 
Affected platforms:Microsoft Windows 
Signature database version:4742 (20100104) 

Short description

The trojan displays dialogs that ask the user to purchase a specific product/service. After purchasing the product/service, the malware removes itself from the computer. Trojan is probably a part of other malware.

Installation

When executed, the trojan creates the following files:
  • %systemdrive%ax2qY7ASF3IEqtuyK.dll (18944 B)
  • %systemdrive%a0dLC6YClJ4mLcM63.apVn (13 B)
  • %systemdrive%SysFilesOperafeeder.js (13393 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}chrome.manifest (314 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}install.rdf (833 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}chromecontenti_n_f_o_r_m_e_r.xul (231 B)
  • %systemdrive%ax2qY7ASF3IEqtuyK.dll (18944 B)
  • %systemdrive%a0dLC6YClJ4mLcM63.apVn (13 B)
  • %systemdrive%SysFilesOperafeeder.js (13393 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}chrome.manifest (314 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}install.rdf (833 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}chromecontenti_n_f_o_r_m_e_r.xul (231 B)
  • %firefoxfolder%extensions{6B80CDB7-2B4C-F096-2537-B77F36
    9ACFF8}chromecontentinformer.js (14969 B)
  • %appdata%MozillaFirefoxProfiles%firefoxprofile%extens
    ions.cache (425 B)
  • %appdata%mediamodule.xsl (160907 B)
The following files are modified:
  • %appdata%OperaOperaoperaprefs.ini
  • %appdata%OperaOperaprofileopera6.ini
The following Registry entries are set:
  • [HKEY_CLASSES_ROOTCLSID{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}
    InprocServer32]
    "(Default)" = "%systemdrive%ax2qY7ASF3IEqtuyK.dll"
    "ThreadingModel" = "Apartment"
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Enable Browser Extensions" = "yes"
  • [HKEY_CLASSES_ROOTCLSID{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}
    InprocServer32]
    "(Default)" = "%systemdrive%ax2qY7ASF3IEqtuyK.dll"
    "ThreadingModel" = "Apartment"
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Enable Browser Extensions" = "yes"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerBrowser Helper Objects{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}]
    "(Default)" = "MS Media Module"
    "NoExplorer" = 1
  • [HKEY_CLASSES_ROOTCLSID{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}]
    "(Default)" = "MS Media Module

Other information

The trojan displays dialogs that ask the user to purchase a specific product/service.

After purchasing the product/service, the malware removes itself from the computer.

The trojan displays the following dialog box:
1(1).jpg
The following programs are affected:
  • Internet Explorer
  • Mozilla Firerox
  • Opera