Trojan.Agent.AAQK
LOW
LOW
24,5KB, 40KB
(Troj/FakeAV-CC, W32/Agent.AAQ!tr, Win32/Small.NEB trojan, Trojan W32/Agent.GYHC, Trojan.Fakealert.1260
)
Symptoms
A file named __a00[some-hexa-digits].exe in C:\Documents and Settings\\local settings\temp having a dimension of 40KB.
One or more files named __c00[five-hexa-digits].dat in the system directory (c:\windows\system32) with a size of 24,5KB (25088 Bytes)
The presence of a mutex named vmc_mm.
Removal instructions:
Please let BitDefender delete the infected files.
Analyzed By
Boeriu Laura, virus researcher
Technical Description:
The malware copies itself to
C:\Documents and Settings\\local settings\temp under the name
__a00[some-hexa-digits].exe
and adds the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\A00[some-hexa-digits].exe
C:\Documents and Settings\\Local Settings\Temp\__a00[some-hexa-digits].exe
Aftewards, the trojan will drop a .dll file (in the directory from where it was run) under its original file name and extension followed by .dat. It will load this dll and will execute it's exported function named A.
Running that code will copy the dll in the system directory (C:\windows\system32) under a name of the form __c00[five-hexa-digits].dat and will set the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001
Also, it will create a mutex named vmc_mm and will download a file from a link that was down at the moment this description was made.
SHARE
THIS ON