Win32/Agent.QKS [Threat Name] go to Threat

Win32/Agent.QKS [Threat Variant Name]

Category trojan
Size 66560 B
Detection created Dec 07, 2009
Detection database version 4668
Aliases Trojan:Win32/Riern.B (Microsoft)
  Infostealer.Gampass (Symantec)
  TROJ_RIERN.SMA (TrendMicro)
Short description

Win32/Agent.QKS is a trojan that steals sensitive information.


The trojan can send the information to a remote machine.

Installation

The trojan creates the following files:

  • %appdata%\­Macromedia\­Common\­%random1%19.exe (3072 B)
  • %appdata%\­Macromedia\­Common\­%random1%1.dll (58368 B)
  • %temp%\­%random1%2.tmp (58368 B)

A string with variable content is used instead of %random1% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WAB" = "%appdata%\­Macromedia\­Common\­%random1%19.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Drivers32]
    • "midi1" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "midi2" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "wave1" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "wave2" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "aux1" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "aux2" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "mixer1" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
    • "mixer2" = "%appdata%\­Macromedia\­Common\­%random1%1.dll"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "rundll32.exe" = ""
Information stealing

The trojan collects the following information:

  • URLs visited
  • digital certificates
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • operating system version
  • cookies

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


It can execute the following operations:

  • capture screenshots
  • shut down/restart the computer

The following programs are terminated:

  • acrord32.exe

The trojan hooks the following Windows APIs:

  • ExitProcess (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • VirtualProtectEx (kernel32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpAddRequestHeadersA (wininet.dll)
  • HttpAddRequestHeadersW (wininet.dll)
  • CommitUrlCacheEntryA (wininet.dll)
  • CommitUrlCacheEntryW (wininet.dll)
  • PeekMessageW (user32.dll)
  • send (ws2_32.dll)
  • DnsQuery_W (dnsapi.dll)
  • CryptImportKey (advapi32.dll)
  • CryptGenKey (advapi32.dll)
  • CryptDeriveKey (advapi32.dll)

The trojan may create the following files:

  • %temp%\­%random2%.tmp
  • %temp%\­17ded07d7f6c569a.tmp

A string with variable content is used instead of %random2% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­*]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­*]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Services\­*]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­Services\­*]
    • "Start" = 4

The trojan opens the following URLs in Internet Explorer :

  • http://google.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.