Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.QKS

Aliases:Trojan:Win32/Riern.B (Microsoft), Infostealer.Gampass (Symantec), TROJ_RIERN.SMA (TrendMicro) 
Type of infiltration:Trojan  
Size:66560 B 
Affected platforms:Microsoft Windows 
Signature database version:4668 (20091207) 

Short description

Win32/Agent.QKS is a trojan that steals sensitive information.

The trojan can send the information to a remote machine.

Installation

The trojan creates the following files:
  • %appdata%MacromediaCommon%random1%19.exe (3072 B)
  • %appdata%MacromediaCommon%random1%1.dll (58368 B)
  • %temp%%random1%2.tmp (58368 B)
A string with variable content is used instead of %random1%.

In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "WAB" = "%appdata%MacromediaCommon%random1%19.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Drivers32]
    "midi1" = "%appdata%MacromediaCommon%random1%1.dll"
    "midi2" = "%appdata%MacromediaCommon%random1%1.dll"
    "wave1" = "%appdata%MacromediaCommon%random1%1.dll"
    "wave2" = "%appdata%MacromediaCommon%random1%1.dll"
    "aux1" = "%appdata%MacromediaCommon%random1%1.dll"
    "aux2" = "%appdata%MacromediaCommon%random1%1.dll"
    "mixer1" = "%appdata%MacromediaCommon%random1%1.dll"
    "mixer2" = "%appdata%MacromediaCommon%random1%1.dll"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Drivers32]
    "midi1" = "%appdata%MacromediaCommon%random1%1.dll"
    "midi2" = "%appdata%MacromediaCommon%random1%1.dll"
    "wave1" = "%appdata%MacromediaCommon%random1%1.dll"
    "wave2" = "%appdata%MacromediaCommon%random1%1.dll"
    "aux1" = "%appdata%MacromediaCommon%random1%1.dll"
    "aux2" = "%appdata%MacromediaCommon%random1%1.dll"
    "mixer1" = "%appdata%MacromediaCommon%random1%1.dll"
    "mixer2" = "%appdata%MacromediaCommon%random1%1.dll"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "rundll32.exe" = ""

Information stealing

The trojan collects the following information:
  • URLs visited
  • digital certificates
  • installed program components under [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall] Registry subkeys
  • operating system version
  • cookies
The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • capture screenshots
  • shut down/restart the computer
The following programs are terminated:
  • acrord32.exe
The trojan hooks the following Windows APIs:
  • ExitProcess (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • VirtualProtectEx (kernel32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpAddRequestHeadersA (wininet.dll)
  • ExitProcess (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • VirtualProtectEx (kernel32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpAddRequestHeadersA (wininet.dll)
  • HttpAddRequestHeadersW (wininet.dll)
  • CommitUrlCacheEntryA (wininet.dll)
  • CommitUrlCacheEntryW (wininet.dll)
  • PeekMessageW (user32.dll)
  • send (ws2_32.dll)
  • DnsQuery_W (dnsapi.dll)
  • CryptImportKey (advapi32.dll)
  • CryptGenKey (advapi32.dll)
  • CryptDeriveKey (advapi32.dll)
The trojan may create the following files:
  • %temp%%random2%.tmp
  • %temp%17ded07d7f6c569a.tmp
A string with variable content is used instead of %random2%.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    *]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMControlSet001Services*]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMControlSet002Services*]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    *]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMControlSet001Services*]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMControlSet002Services*]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMControlSet003Services*]
    "Start" = 4
The trojan opens the following URLs in Internet Explorer:
  • http://google.com