Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

The following file is dropped in the %system% folder:

agent_dq.dll

It is a Browser Helper Object for Internet Explorer. Size of the file is 60928 B.


The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73364D99-1240-4dff-B11A-67E448373048}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\

InprocServer32]
(Default) = "%system%\ipv6mons.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\

InprocServer32]
"ThreadingModel" = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\

InprocServer32]
"Enable Browser Extensions" = "yes"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\

Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = "C:\Program Files\Internet Explorer\

IEXPLORE.EXE:*:Enabled:Internet Explorer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\loadnet_insll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\worg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\cmpid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\forwas]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\h]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\nw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\wspopp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

browser helper obJects\{73364D99-1240-4dff-B11A-67E448373048}]

 

Information stealing

The trojan collects various information when Internet Explorer is being used to access the following sites:

app/ueberweisung.input.do
app/ueberweisung.prep.do
banking.postbank.de
banking.postbank.de/app/finanzstatus.reduziert.init.do
banking.postbank.de/app/kontoumsatz.umsatz.init.do
banking.postbank.de/app/legitimation.input.do
banking.postbank.de/app/ueberweisung.quittung.do
e-gold.com/acct/acct.asp
https://*.netbank.commbank.com.au/netbank/bankmain
https://banking.postbank.de/app/finanzstatus.init.do
https://banking.postbank.de/app/kontoumsatz.umsatz.init.do
https://banking.postbank.de/app/welcome.do
https://signin.ebay*/ws/eBayISAPI.dll
postbank.de

Some information is found in local files too. The following information is collected:

passwords
URLs visited
HTML forms content
computer name
computer IP address
Outlook Express accounts data
digital certificates


The data is saved in the %system% folder in the following files:

form.txt
info.txt
shot.html

The trojan can upload the information to a remote machine. The FTP protocol is used.

Other information

The trojan may attempt to delete all files on the C: drive and various program files.