Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.QYH

Aliases:Trojan-Dropper.Win32.Agent.buxs (Kaspersky), Trojan:Win32/Tapaoux.A (Microsoft), GenericDropper!ddz trojan (McAfee) 
Type of infiltration:Trojan  
Size:357344 B 
Affected platforms:Microsoft Windows 
Signature database version:4983 (20100329) 

Short description

Win32/Agent.QYH installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following files:
  • %system%%variable1%.exe (115680 B)
  • %system%%variable1%.sys (10336 B)
  • %system%%variable2%.dll (160736 B)
The %variable1% is one of the following strings:
  • activemov
  • webhelp
  • autocheck
  • xflash
  • inetcpl
  • xmlhelp
  • activemov
  • webhelp
  • autocheck
  • xflash
  • inetcpl
  • xmlhelp
  • winspooler
  • securitychk
  • actmove
  • appned
  • boof
  • gflash
  • lnetcpl
  • qernet
  • serves
  • secury
The %variable2% is one of the following strings:
  • DivXfix
  • dbdebug
  • countryfix
  • cdboot
  • bitcheck
  • biosfix
  • DivXfix
  • dbdebug
  • countryfix
  • cdboot
  • bitcheck
  • biosfix
  • actproxy
  • activems
  • actmove
  • appned
  • boof
  • gflash
  • lnetcpl
  • qernet
  • serves
  • secury
The trojan may create the following files:
  • %system%%variable3% (244432 B)
  • %startup%%variable4%.lnk
The %variable3% is one of the following strings:
  • autorun.cpx
  • autop.auc
  • Config.tbl
  • doskey.tbl
  • proc.cpx
  • qstore.ax
  • autorun.cpx
  • autop.auc
  • Config.tbl
  • doskey.tbl
  • proc.cpx
  • qstore.ax
  • winmon.tlb
  • winbug.rom
  • autorun.aux
  • autop.aux
  • Config.aux
  • doskey.aux
  • proc.aux
  • qstore.aux
  • winmon.aux
  • winbug.aux
The %variable4% is one of the following strings:
  • Inetcpl
  • actmove
  • Appned
  • Boof
  • Gflash
  • lnetcpl
  • Inetcpl
  • actmove
  • Appned
  • Boof
  • Gflash
  • lnetcpl
  • qernet
  • serves
  • secury
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
    Installed Components%variable5%]
    "StubPath" = "%system%%variable1%.exe SystemBasicTools"
    "(Default)" = "Microsoft Explorer"
    "Version" = "1,0,0,1"
    "IsInstalled" = 1

    [HKEY_CURRENT_USERSoftwareMicrosoftActive
    SetupInstalled Components%variable5%]
    "Version" = "1,0,0,0"
The %variable5% is one of the following strings:
  • {31A3AFFA-AC5E-4F29-12DC-AC3672FC548A}
  • {01A3AFFA-AC5E-4F29-12DC-AC3672FC548A}
  • {4247A4CE-1275-3C4F-67DE-33999CDE2754}
  • {0247A4CE-1275-3C4F-67DE-33999CDE2754}
  • {537ACDEF-2672-3341-CCEA-2BE4DE1673DF}
  • {037ACDEF-2672-3341-CCEA-2BE4DE1673DF}
  • {31A3AFFA-AC5E-4F29-12DC-AC3672FC548A}
  • {01A3AFFA-AC5E-4F29-12DC-AC3672FC548A}
  • {4247A4CE-1275-3C4F-67DE-33999CDE2754}
  • {0247A4CE-1275-3C4F-67DE-33999CDE2754}
  • {537ACDEF-2672-3341-CCEA-2BE4DE1673DF}
  • {037ACDEF-2672-3341-CCEA-2BE4DE1673DF}
  • {6401AE4C-27CE-C416-167C-CEF5629CED3F}
  • {0401AE4C-27CE-C416-167C-CEF5629CED3F}
  • {75053DE3-294C-12CE-1CDF-1BF4CE6CD741}
  • {05053DE3-294C-12CE-1CDF-1BF4CE6CD741}
  • {86CD17C4-1CE4-78CF-3C4F-4AEF5633CF28}
  • {06CD17C4-1CE4-78CF-3C4F-4AEF5633CF28}
  • {973DFB00-02C6-1CEF-1234-01CE4CFD58A3}
  • {073DFB00-02C6-1CEF-1234-01CE4CFD58A3}
  • {A83C4EBD-4F2C-1CC9-4CDA-37FECCE4672C}
  • {083C4EBD-4F2C-1CC9-4CDA-37FECCE4672C}
The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    %variable4% = %malwarepath%
Installs the following system drivers:
  • %system%%variable1%.sys (10336 B)
The trojan loads and injects the %system%%variable2%.dll library into the following processes:
  • svchost.exe
  • explorer.exe

Other information

The trojan quits immediately if it is run within a debugger.

The trojan quits immediately if any of the following applications is detected:
  • ethereal.exe
  • filemon.exe
  • ollydbg.exe
  • icesword.exe
  • idag.exe
  • pslist.exe
  • ethereal.exe
  • filemon.exe
  • ollydbg.exe
  • icesword.exe
  • idag.exe
  • pslist.exe
  • regmon.exe
The trojan alters the behavior of the following processes:
  • AVGIDSAgent.exe
  • AVGIDSMonitor.exe
  • AntiSpyWare2Guard.exe
The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. It can be controlled remotely.

It can execute the following operations:
  • send files to a remote computer
  • run executable files
  • download files from a remote computer and/or the Internet
  • collect information about the operating system used
The trojan creates the following files:
  • %system%ffffz%date%ca.tmp
A string with variable content is used instead of %date%.