Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.PCV is a trojan that repeatedly tries to connect to various URL addresses. It tries to download several files from the addresses. The files are then executed. The file is run-time compressed using UPack .
Installation
When executed, the trojan creates the following files:
  • %system%\killdll.dll (61440 B)
  • %system%\updater.exe (3584 B)
The files are then executed.

The trojan attempts to replace the following files with a copy of itself:
  • %system%\drivers\aec.sys
  • %system%\drivers\asyncmac.sys
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "Ferrari" = "%system%\scvhost.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\360Safebox.exe]
    "360Safebox.exe" = "%system%\svchost.exe"
The trojan may delete the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
Other information
The following programs are terminated:
  • 360Safebox.exe
  • 360tray.exe
  • AgentSvr.exe
  • antiarp.exe
  • avp.exe
The trojan launches the following processes:
  • cmd /c sc config ekrn start= disabled
  • cmd /c sc config avp start= disabled
  • cmd /c sc config McNASvc start= disabled
  • cmd /c sc config MpfService start= disabled
  • cmd /c sc config McProxy start= disabled
The trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.

Win32/Agent.PCV is a trojan that repeatedly tries to connect to various URL addresses.

It tries to download several files from the addresses. These are stored in the following locations:
  • %temp%\%variable%_xeex.tmp
A string with variable content is used instead of %variable% . The files are then executed.

The trojan creates the following files:
  • %temp%\_ok.bat