Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.PCU is a trojan that repeatedly tries to connect to various URL addresses. It tries to download several files from the addresses. The files are then executed. The file is run-time compressed using Upack .
Installation
When executed, the trojan creates the following files:
  • %system%\killdll.dll (61440)
  • %system%\updater.exe (3584)
The files are then executed.

The trojan attempts to replace the following files with a copy of itself:
  • %system%\drivers\aec.sys
  • %system%\drivers\asyncmac.sys

The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\360Safebox.exe]
    "360Safebox.exe" = "%system%\svchost.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\360tray.exe]
    "360tray.exe" = "%system%\svchost.exe"
The trojan may delete the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
Other information
The following programs are terminated:
  • 360Safebox.exe
  • 360tray.exe
  • AgentSvr.exe
  • antiarp.exe
  • avp.exe

The trojan launches the following processes:
  • cmd /c sc config ekrn start= disabled
  • cmd /c sc config avp start= disabled
  • cmd /c sc config McNASvc start= disabled
  • cmd /c sc config MpfService start= disabled
  • cmd /c sc config McProxy start= disabled

The trojan is sent data and commands from a remote computer or the Internet. The trojan contains an URL address. The HTTP protocol is used.

Win32/Agent.PCU is a trojan that repeatedly tries to connect to various URL addresses.

It tries to download several files from the addresses. These are stored in the following locations:
  • %temp%\%variable%_xeex.tmp
A string with variable content is used instead of %variable% . The files are then executed.

The trojan creates the following files:
  • %temp%\_ok.bat