Win32/AutoRun.Agent.AGF [Threat Name] go to Threat

Win32/AutoRun.Agent.AGF [Threat Variant Name]

Category worm
Size 83968 B
Detection created Jul 19, 2012
Detection database version 7313
Aliases Worm:Win32/Clisbot.A (Microsoft)
Short description

Win32/AutoRun.Agent.AGF is a worm that spreads via removable media. The file is run-time compressed using Morphex .

Installation

The worm does not create any copies of itself.


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "dskchk" = "%malwarefilepath%"

The worm creates the following files:

  • %temp%\­rtf%variable%.tmp
  • %userprofile%\­dlst.dat

The worm executes the following command:

  • regedit.exe /s "%temp%\­rtf%variable%.tmp"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tcpip\­Parameters\­Interfaces\­%interfaceid%]
    • "NameServer" = "127.0.0.1"
    • "DhcpNameServer" = "127.0.0.1"

A string with variable content is used instead of %variable% .

Spreading on removable media

Win32/AutoRun.Agent.AGF is a worm that spreads via removable media.


The worm creates the following folders:

  • %drive%\­VolumeInform

The worm copies itself to the following location:

  • %drive%\­VolumeInform\­chk%variable%.tmp.exe

The worm creates the following file:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


A string with variable content is used instead of %variable% .

Information stealing

The worm collects the following information:

  • operating system version
  • antivirus software detected on the affected machine

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (1) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • block access to specific websites
  • monitor network traffic
  • modify network traffic
  • send gathered information

The worm keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Windows NT 4.0]
    • "OID" = %variable1%
    • "GID" = "%variable2%
    • "Guid" = %variable3%

The worm may create the following files:

  • %userprofile%\­flh.dat
  • %userprofile%\­pconfig
  • %userprofile%\­dpconfig

Please enable Javascript to ensure correct displaying of this content and refresh this page.