Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.QZG

Aliases:Trojan.Win32.Shutdowner.ejj (Kaspersky), Generic.dx!rcd trojan (McAfee), Trojan horse Generic17.ASON (AVG) 
Type of infiltration:Trojan  
Size:19456 B 
Affected platforms:Microsoft Windows 
Signature database version:5006 (20100407) 

Short description

Win32/Agent.QZG is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX.

Installation

When executed, the trojan copies itself into the following location:
  • %windir%expmodule.exe (19456 B)
The trojan creates the following files:
  • %system%wmmest.dll (14336 B)
The following file is modified:
  • %system%userinit.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersion
    Winlogo2]
    "Shell" = "expmodule.exe"
This causes the trojan to be executed on every system start.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:
  • svchost.exe
The trojan checks for Internet connectivity by trying to connect to the following servers:
  • www.bing.com
The trojan connects to the following address:
  • monkeymakinmoney.in
The trojan then obtains data and instructions for further action. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • remove itself from the infected computer
The trojan collects the following information:
  • computer name
  • list of disk devices and their type
The trojan can send the information to a remote machine.

The trojan may turn off the computer.