My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.PWS.Agent.SGD

MEDIUM
MEDIUM
17,6KB
(Trojan-GameThief.Win32.OnLineGames.tpnr, PWS-Mmorpg.gen trojan, TR/Agent.14336.49, Trojan.Siggen.337 )

Symptoms

If you have at least one of the following files on your computer, you are infected:

%windir%\system32\system.exe  (size: 7,5KB)
%windir%\system32\drivers\hbkernel32.sys (size: 17,6KB)

(where %windir% stands for c:\windows of c:\winnt, depending on the operating system)

Removal instructions:

Please let BitDefender delete your infected files.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

The malware drops the following files:
         
1) %windir%\system32\hbqqxx.dll
      - this .dll will be injected in all the running processes and it will try to steal sensitive information, such as user accounts and passwords for the Tencent QQ instant messaging program
        
2) %windir%\system32\system.exe

3) %windir%\system32\drivers\hbkernel32.sys
      - a service named HBKernel32 will be created and will be started at every system startup
      - will set the registry key:
           HKLM\System\CurrentControlSet\Services\HBKernel32
            ImagePath -> %windir%\system32\drivers\HBKernel32.sys 
      - the NTSetValueKey entry in the System Service Descriptor Table will be hooked to point to code from this file

4) c:\documents and settings\%user_name%\local settings\temp\selfdel.bat
      - this is a batch script that will delete the original malware file after it completes its tasks
  
After dropping these files, the trojan will run system.exe and selfdel.bat.     

System.exe will perform the following registry operations:

 - will add itself to the registry key to run at every system startup:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     HBService32 -> System.exe
 
 - will set
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
     AppInit_DLLs  -> HBmhly.dll, HB1000Y.dll, HBWOOOL.dll, HBXY2.dll, HBJXSJ.dll, HBSO2.dll, HBFS2.dll, HBXY3.dll, HBSHQ.dll, HBFY.dll, HBWULIN2.dll, HBW2I.dll, HBKDXY.dll, HBWORLD2.dll, HBASKTAO.dll, HBZHUXIAN.dll, HBWOW.dll, HBZERO.dll, HBBO.dll, HBCONQUER.dll, HBSOUL.dll, HBCHIBI.dll, HBDNF.dll, HBWARLORDS.dll, HBTL.dll, HBPICKCHINA.dll, HBCT.dll, HBGC.dll, HBHM.dll, HBHX2.dll, HBQQHX.dll, HBTW2.dll, HBQQSG.dll, HBQQFFO.dll, HBZT.dll, HBMIR2.dll, HBRXJH.dll, HBYY.dll, HBMXD.dll, HBSQ.dll, HBTJ.dll, HBFHZL.dll, HBWLQX.dll, HBLYFX.dll, HBR2.dll, HBCHD.dll, HBTZ.dll, HBQQXX.dll, HBWD.dll, HBZG.dll, HBPPBL.dll, HBXMJ.dll, HBJTLQ.dll, HBQJSJ.dll

- will remove the entries:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      360Safetray
      360Safebox
    which belong to a Chinese antivirus.        

System.exe will be run as a process accessible only from kernel mode. If trying to kill this process with task manager, an error will occur.