Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.Agent.PG is a worm that spreads by copying itself into the root folders of available drives. The file is run-time compressed using NsPack .
Installation
When executed, the worm creates the following files:
  • %windir%\phpq.dll (45568 B)
  • %system%\func.dll (38400 B)
  • %system%\drivers\pcidump.sys (11904 B)
The worm attempts to replace the following files with a copy of itself:
  • %system%\drivers\acpiec.sys
Installs the following system drivers:
  • %system%\drivers\acpiec.sys (14080 B)
  • %system%\drivers\pcidump.sys (11904 B)
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
    LEGACY_PCIDUMP\0000\Control]
    "*NewlyCreated*" = 0
    "ActiveService" = "pcidump"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
    LEGACY_PCIDUMP\0000]
Spreading
Win32/AutoRun.Agent.PG is a worm that spreads by copying itself into the root folders of available drives.

If successful the following filename is used:
  • %drive%\1.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
The worm collects the following information:
  • network adapter information
  • malware version
  • operating system version
The worm can send the information to a remote machine. The HTTP protocol is used.
Other information
The following programs are terminated:
  • 360Safe.exe
  • 360Safebox.exe
  • 360tray.exe
  • AgentSvr.exe
  • antiarp.exe
The following file is modified:
  • %system%\drivers\etc\hosts
The worm writes the following entries to the file:
  • 127.0.0.1 v.onondown.com.cn
  • 127.0.0.2 ymsdasdw1.cn
  • 127.0.0.3 h96b.info
  • 127.0.0.0 fuck.zttwp.cn
  • 127.0.0.0 www.hackerbf.cn
This blocks access to several Internet servers.

The worm may create copies of the following files (source, destination):
  • %system%\drivers\gm.dls, %windir%\temp\explorer.exe
The worm launches the following processes:
  • cmd /c cacls %windir% /e /p everyone:f
  • cmd /c cacls "%temp%\" /e /p everyone:f
  • cmd /c sc config ekrn start= disabled
  • cmd /c taskkill /im ekrn.exe /f
  • cmd /c taskkill /im egui.exe /f
The worm contains a list of (3) URLs. It tries to download several files from the addresses. The HTTP protocol is used. These are stored in the following locations:
  • %filepath%
  • %system%\drivers\192yuioealdjfiefjsdfas.txt
A string with variable content is used instead of %filepath% . The files are then executed.

The worm creates copies of the following files (source, destination):
  • %filepath%, %windir%\setup.exe
  • %filepath%, %drive%\1.exe
The worm creates and runs a new thread with its own program code within the following processes:
  • avp.exe