Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.PKH is a trojan which modifies the behavior of network routers.
Installation
The trojan does not create any copies of itself.

The following Registry entries are set:
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MAIN\
    FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
    "iexplore.exe" = ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
    MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
    "iexplore.exe" = ""
Other information
Win32/Agent.PKH is a trojan which modifies the behavior of network routers.

The trojan executes a "DNS cache poisoning" attack, which can cause redirection of network traffic to the attacker's web sites.

The trojan connects to the following addresses:
  • %address%/wizard.htm
  • %address%/home.asp
  • %address%/dlink/hwiz.html
  • %address%/index.asp
  • %address%
%address% stands for the IP address of the router in the local network .

The listed addresses are the addresses of web configuration interfaces of common routers.

The following list of logins is used (name:password):
  • 11111:x-admin
  • 1234:1234
  • 1500:and 2000 Series
  • 1502:1502
  • aaa:often blank
The HTTP protocol is used.

The trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of (2) URLs.

The trojan connects to the following addresses:
  • www.infersearch.com
The trojan launches the following processes:
  • iexplore.exe (Internet Explorer)