My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Agent.QAL

MEDIUM
MEDIUM
~1.5MB
(Trojan-Downloader.Win32.VB.hsi; W32/Autorun.worm.dq.gen virus)

Symptoms

The presence of the following files in %SYSTEM% folder:
    - XP-D41D8CD9.exe - this one has a folder icon in order to trick the user to open it
    - og.dll, og.EDT, ul.dll - these files are hidden and are not executable files
    - com.run, dp1.fne, eAPI.fne, internet.fne, krnln.fnr, RegEx.fnr, shell.fne, spec.fne - these are library files of the E language

Removal instructions:

Please let BitDefender delete your files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

    When first run, this malware will drop the library files related to E programming language in  %TEMP%\E_4\ folder. Later, these files will be copied in %SYSTEM% folder with hidden attribute set. A copy of this worm will be created in %SYSTEM% folder under the name XP-D41D8CD9.exe along with the following registry key which will make this file to be run at every system startup:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Name : XP-D41D8CD9.exe
    Value: %SYSTEM%XP-D41D8CD9.exe
A link to this file will be added in the Startup Menu under " iiiiii ".
   
    Next, it will drop og.dll, og.EDT, ul.dll in %SYSTEM% folder. These files are note executable, they contain only some crypted data.
    The malware will then attempt do download the following files on the user's computer:
    http://hi.baidu.com/siletoyou
    http://hidata[removed].com/ul.htm
    http://www.yean[removed].com/ul.htm
(When this description was made, only the second link was stiil active and the downloaded file contains crypted data that will be used by the worm).
  
    At every 30 seconds it will check for removable drives and if found, it will copy itself under Recycled.exe and create the autorun.inf file that will run that copy.