Win32/Agent.QLP [Threat Name] go to Threat

Win32/Agent.QLP [Threat Variant Name]

Category trojan
Size 81408 B
Detection created Dec 07, 2009
Detection database version 10080
Aliases Trojan.Win32.ServStart.apy (Kaspersky)
  Backdoor.Breut (Symantec)
Short description

The trojan may perform various types of attacks against remote machines.

Installation

When executed, the trojan creates the following folder:

  • %windir%\­system32\­NetAcc

The following file is dropped in the same folder:

  • netacc.exe (11776 B, Win32/Agent.QLP)

The trojan registers file as a system service.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­NetAcc]
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­system32\­NetAcc\­netacc.exe"
    • "DisplayName" = "NetAcc"
    • "ObjectName" = "LocalSystem"

The following file is dropped in the same folder:

  • netprot.exe (61440 B, Win32/Agent.QLP trojan)

Trojan starts service NetAcc .


The trojan deletes the original file.


The trojan may delete the following files:

  • %windir%\­system32\­NetAcc\­netacc.exe.tmp
  • %windir%\­system32\­NetAcc\­netprot.exe.tmp
  • %windir%\­system32\­NetAcc\­netsvc.dll.tmp
  • %windir%\­system32\­NetAcc\­SHDOCVW.DLL.tmp

The trojan modifies the following file:

  • %windir%\­win.ini

The trojan may create copies of itself using the following filenames:

  • %windir%\­system32\­jetkey.exe (81408 B, Win32/Agent.QLP)
Information stealing

The trojan collects the following information:

  • operating system version
  • memory status
  • language settings
  • CPU information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. It tries to connect to the remote machine on port:

  • 50080
  • 55110

It can execute the following operations:

  • perform DoS/DDoS attacks
  • send gathered information
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan may create the following files in the %windir%\system32\NetAcc\ folder:

  • update.exe

The file is then executed.


The trojan can modify the following file:

  • %windir%\­system32\­drivers\­etc\­hosts

The trojan may create the following files:

  • c:\­aw.log

Please enable Javascript to ensure correct displaying of this content and refresh this page.