JS/Agent.QLN [Threat Name] go to Threat

JS/Agent.QLN [Threat Variant Name]

Category trojan
Size 160907 B
Detection created Jan 04, 2010
Detection database version 4742
Aliases Trojan.Script.298561 (BitDefender)
  JS:XmlPack-Q (Avast)
Short description

The trojan displays dialogs that ask the user to purchase a specific product/service. After purchasing the product/service, the malware removes itself from the computer. The trojan is probably a part of other malware.

Installation

When executed, the trojan creates the following files:

  • %systemdrive%\­ax2qY7ASF3IEqtuyK.dll (18944 B)
  • %systemdrive%\­a0dLC6YClJ4mLcM63.apVn (13 B)
  • %systemdrive%\­SysFiles\­Opera\­feeder.js  (13393 B)
  • %firefoxfolder%\­extensions\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}\­chrome.manifest (314 B)
  • %firefoxfolder%\­extensions\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}\­install.rdf (833 B)
  • %firefoxfolder%\­extensions\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}\­chrome\­content\­i_n_f_o_r_m_e_r.xul (231 B)
  • %firefoxfolder%\­extensions\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}\­chrome\­content\­informer.js (14969 B)
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%firefoxprofile%\­extensions.cache (425 B)
  • %appdata%\­mediamodule.xsl (160907 B)

The following files are modified:

  • %appdata%\­Opera\­Opera\­operaprefs.ini
  • %appdata%\­Opera\­Opera\­profile\­opera6.ini

The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­CLSID\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}\­InprocServer32]
    • "(Default)" = "%systemdrive%\­ax2qY7ASF3IEqtuyK.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Enable Browser Extensions" = "yes"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}]
    • "(Default)" = "MS Media Module"
    • "NoExplorer" = 1
  • [HKEY_CLASSES_ROOT\­CLSID\­{6B80CDB7-2B4C-F096-2537-B77F369ACFF8}]
    • "(Default)" = "MS Media Module"
Other information

The trojan displays dialogs that ask the user to purchase a specific product/service.


After purchasing the product/service, the malware removes itself from the computer.


The trojan displays the following dialog box:

The following programs are affected:

  • Internet Explorer
  • Mozilla Firerox
  • Opera

Please enable Javascript to ensure correct displaying of this content and refresh this page.