Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/PSW.Agent.NGX is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following folder:
  • %temp%\IXP%variable%.TMP
The executables of the trojan are copied there using the following filenames:
  • lese.exe (22580 B)
  • mm.exe (10240 B)
The %variable% stands for a variable 3 digit number.


The following files are dropped into the %system% folder:
  • XunLeiBHO_001.dll (65541 B)
  • kbass1p.dll (15872 B)

Libraries with the following names are injected into all running processes:
  • kbass1p.dll

The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Thunder\CLSID]
    "(Default)" = "{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Thunder]
    "(Default)" = "Thunder Browser Helper"
Information stealing
The trojan is able to log keystrokes.

The trojan collects information related to the on-line game World Of Warcraft .

The trojan can send the information to a remote machine. The trojan contains a URL address. The HTTP protocol is used.
Other information
The trojan creates the following files:
  • %temp%\IXP%variable%.TMP\iog.bat
  • %temp%\IXP%variable%.TMP\cmdd.bat
  • %temp%\htba

The following files are deleted:
  • %system%\drivers\etc\hosts
The trojan terminates processes with any of the following strings in the name:
  • QQLiveUpdate.exe
The trojan interferes with the operation of some security applications to avoid detection.

The trojan mutes the Master Volume control of the sound device.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunOnce]
  • "wextract_cleanup%number%" = "rundll32.exe %system%\
    advpack.dll,DelNodeRunDLL32 "%temp%\IXP%variable%.TMP\""
The %number% stands for a random number.