Win32/Agent.PCV [Threat Name] go to Threat

Win32/Agent.PCV [Threat Variant Name]

Category trojan
Size 26224 B
Detection created Mar 31, 2009
Detection database version 3977
Aliases Backdoor.Win32.Agent.afei (Kaspersky)
  Trojan.KillAV (Symantec)
  Generic.Downloader.x.trojan (McAfee)
Short description

Win32/Agent.PCV is a trojan that repeatedly tries to connect to various URL addresses. It tries to download several files from the addresses. The files are then executed. The file is run-time compressed using UPack .

Installation

When executed, the trojan creates the following files:

  • %system%\­killdll.dll (61440 B)
  • %system%\­updater.exe (3584 B)

The files are then executed.


The trojan attempts to replace the following files with a copy of itself:

  • %system%\­drivers\­aec.sys
  • %system%\­drivers\­asyncmac.sys

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Ferrari" = "%system%\­scvhost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360Safebox.exe]
    • "360Safebox.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360tray.exe]
    • "360tray.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AgentSvr.exe]
    • "AgentSvr.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­antiarp.exe]
    • "antiarp.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "avp.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­bdagent.exe]
    • "bdagent.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccapp.exe]
    • "ccapp.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CCenter.exe]
    • "CCenter.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccEvtMgr.exe]
    • "ccEvtMgr.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSetMgr.exe]
    • "ccSetMgr.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­defwatch.exe]
    • "defwatch.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­egui.exe]
    • "egui.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ekrn.exe]
    • "ekrn.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KavStart.exe]
    • "KavStart.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KISSvc.exe]
    • "KISSvc.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kmailmon.exe]
    • "kmailmon.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KPFW32.EXE]
    • "KPFW32.EXE" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KPfwSvc.exe]
    • "KPfwSvc.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVMonXP.KXP]
    • "KVMonXP.KXP" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVSrvXP.exe]
    • "KVSrvXP.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­livesrv.exe]
    • "livesrv.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcagent.exe]
    • "mcagent.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcinsupd.exe]
    • "mcinsupd.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcmscsvc.exe]
    • "mcmscsvc.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McNASvc.exe]
    • "McNASvc.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McProxy.exe]
    • "McProxy.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcshell.exe]
    • "mcshell.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcshield.exe]
    • "Mcshield.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcsysmon.exe]
    • "mcsysmon.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcupdmgr.exe]
    • "mcupdmgr.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MpfSrv.exe]
    • "MpfSrv.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC.EXE]
    • "MPSVC.EXE" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC3.EXE]
    • "MPSVC3.EXE" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­QQDoctor.exe]
    • "QQDoctor.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Rav.exe]
    • "Rav.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMon.exe]
    • "RavMon.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "RavMonD.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavStub.exe]
    • "RavStub.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavTask.exe]
    • "RavTask.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsAgent.exe]
    • "RsAgent.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rsnetsvr.exe]
    • "rsnetsvr.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsTray.exe]
    • "RsTray.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rtvscan.exe]
    • "rtvscan.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safeboxTray.exe]
    • "safeboxTray.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ScanFrm.exe]
    • "ScanFrm.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vptray.exe]
    • "vptray.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vsserv.exe]
    • "vsserv.exe" = "%system%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­xcommsvr.exe]
    • "xcommsvr.exe" = "%system%\­svchost.exe"

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
Other information

The following programs are terminated:

  • 360Safebox.exe
  • 360tray.exe
  • AgentSvr.exe
  • antiarp.exe
  • avp.exe
  • bdagent.exe
  • ccapp.exe
  • CCenter.exe
  • CCenter.exe
  • ccEvtMgr.exe
  • ccSetMgr.exe
  • defwatch.exe
  • egui.exe
  • ekrn.exe
  • KavStart.exe
  • KISSvc.exe
  • kmailmon.exe
  • KPFW32.EXE
  • KPfwSvc.exe
  • KVMonXP.KXP
  • KVSrvXP.exe
  • livesrv.exe
  • mcagent.exe
  • mcinsupd.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • mcnasvc.exe
  • McProxy.exe
  • mcproxy.exe
  • mcshell.exe
  • Mcshield.exe
  • mcshield.exe
  • mcsysmon.exe
  • mcupdmgr.exe
  • MpfSrv.exe
  • MPFSrv.exe
  • MPSVC.EXE
  • MPSVC3.EXE
  • MPSVC3.EXE
  • QQDoctor.exe
  • Rav.exe
  • RavMon.exe
  • RavMonD.exe
  • RavStub.exe
  • RavTask.exe
  • RsAgent.exe
  • rsnetsvr.exe
  • RsTray.exe
  • rtvscan.exe
  • safeboxTray.exe
  • ScanFrm.exe
  • vptray.exe
  • vsserv.exe
  • xcommsvr.exe

The trojan launches the following processes:

  • cmd /c sc config ekrn start= disabled
  • cmd /c sc config avp start= disabled
  • cmd /c sc config McNASvc start= disabled
  • cmd /c sc config MpfService start= disabled
  • cmd /c sc config McProxy start= disabled
  • cmd /c sc config McShield start= disabled
  • cmd /c sc config mcmscsvc start= disabled
  • cmd /c sc config Mcshield start= disabled
  • cmd /c sc config XCOMM start= disabled
  • cmd /c sc config LIVESRV start= disabled
  • cmd /c sc config scan start= disabled
  • cmd /c sc config VSSERV start= disabled
  • cmd /c sc config RavTask start= disabled
  • cmd /c sc config RsScanSrv start= disabled
  • cmd /c sc config RavTray start= disabled
  • cmd /c sc config RsRavMon start= disabled
  • cmd /c sc config RavCCenter start= disabled

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.


Win32/Agent.PCV is a trojan that repeatedly tries to connect to various URL addresses.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­%variable%_xeex.tmp

A string with variable content is used instead of %variable% .


The files are then executed.


The trojan creates the following files:

  • %temp%\­_ok.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.