Win32/AutoRun.Agent.PG [Threat Name] go to Threat

Win32/AutoRun.Agent.PG [Threat Variant Name]

Category worm
Size 32169 B
Detection created Jun 19, 2009
Detection database version 4171
Aliases Trojan-Dropper.Win32.Mudrop.bnj (Kaspersky)
  Trojan.Dropper (Symantec)
  TrojanDownloader:Win32/Dogkild.O (Microsoft)
Short description

Win32/AutoRun.Agent.PG is a worm that spreads by copying itself into the root folders of available drives. The file is run-time compressed using NsPack .

Installation

When executed, the worm creates the following files:

  • %windir%\­phpq.dll (45568 B)
  • %system%\­func.dll (38400 B)
  • %system%\­drivers\­pcidump.sys (11904 B)

The worm attempts to replace the following files with a copy of itself:

  • %system%\­drivers\­acpiec.sys

Installs the following system drivers:

  • %system%\­drivers\­acpiec.sys (14080 B)
  • %system%\­drivers\­pcidump.sys (11904 B)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_PCIDUMP\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "pcidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_PCIDUMP\­0000]
    • "Service" = "pcidump"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "pcidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_PCIDUMP]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_UPDATEDATA\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "UPDATEDATA"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_UPDATEDATA\­0000]
    • "Service = "UPDATEDATA"
    • "Legacy = 1
    • "ConfigFlags = 0
    • "Class = "LegacyDriver"
    • "ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc = "UPDATEDATA"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_UPDATEDATA]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­UPDATEDATA\­Enum]
    • "0" = "Root\­LEGACY_UPDATEDATA\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­UPDATEDATA\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­UPDATEDATA]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 0
    • "ImagePath" = "%system%\­drivers\­acpiec.sys"
    • "DisplayName" = "UPDATEDATA"
Spreading

Win32/AutoRun.Agent.PG is a worm that spreads by copying itself into the root folders of available drives.


The following filename is used:

  • %drive%\­1.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • network adapter information
  • malware version
  • operating system version

The worm can send the information to a remote machine. The HTTP protocol is used.

Other information

The following programs are terminated:

  • 360Safe.exe
  • 360Safebox.exe
  • 360tray.exe
  • AgentSvr.exe
  • antiarp.exe
  • ANTI-TROJAN.exe
  • antivir.exe
  • AUTODOWN.exe
  • AVKSERV.exe
  • AVPUPD.exe
  • AVSCHED32.exe
  • avsynmgr.exe
  • AVWIN95.exe
  • CCenter.exe
  • CFIAUDIT.exe
  • CFIND.exe
  • cfinet.exe
  • cfinet32.exe
  • DrRtp.exe
  • DV95.exe
  • DV95_O.exe
  • DVP95.exe
  • egui.exe
  • ekrn.exe
  • JED.exe
  • Kabackreport.exe
  • kaccore.exe
  • Kasmain.exe
  • kav32.exe
  • kavstart.exe
  • kissvc.exe
  • kmailmon.exe
  • KPFW32.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • KPPMain.exe
  • KRF.exe
  • KVMonXP.exe
  • KVPreScan.exe
  • kwatch.exe
  • luall.exe
  • LUCOMSERVER.exe
  • mcafee.exe
  • McNASvc.exe
  • McProxy.exe
  • Mcshield.exe
  • mon.exe
  • moniker.exe
  • MOOLIVE.exe
  • MpfSrv.exe
  • N32ACAN.exe
  • navapsvc.exe
  • navapw32.exe
  • NAVLU32.exe
  • NAVNT.exe
  • navrunr.exe
  • NAVSCHED.exe
  • NAVW.exe
  • NAVW32.exe
  • navwnt.exe
  • nod32krn.exe
  • PCCClient.exe
  • pccguide.exe
  • pcciomon.exe
  • pccmain.exe
  • pccwin98.exe
  • PCFWALLICON.exe
  • PERSFW.exe
  • pop3trap.exe
  • PpPpWallRun.exe
  • program.exe
  • prot.exe
  • pview95.exe
  • QQDoctor.exe
  • ras.exe
  • Rav.exe
  • RAV7.exe
  • rav7win.exe
  • RavMon.exe
  • RavMonD.exe
  • RavStub.exe
  • RavTask.exe
  • rescue32.exe
  • Rfw.exe
  • rfwmain.exe
  • rfwProxy.exe
  • rfwsrv.exe
  • rfwstub.exe
  • Rsaupd.exe
  • RsMain.exe
  • rsnetsvr.exe
  • rssafety.exe
  • RsTray.exe
  • safeboxTray.exe
  • safeweb.exe
  • scam32.exe
  • scan.exe
  • SCAN32.exe
  • ScanFrm.exe
  • SCANPM.exe
  • scon.exe
  • SCRSCAN.exe
  • secu.exe
  • SERV95.exe
  • sirc32.exe
  • SMC.exe
  • smtpsvc.exe
  • SPHINX.exe
  • spy.exe
  • SWEEP95.exe
  • TBSCAN.exe
  • TCA.exe
  • TDS2-98.exe
  • TDS2-NT.exe
  • Tmntsrv.exe
  • TMOAgent.exe
  • tmproxy.exe
  • tmupdito.exe
  • TSC.exe
  • UlibCfg.exe
  • vavrunr.exe
  • VET95.exe
  • VETTRAY.exe
  • vir.exe
  • VPC32.exe
  • VSECOMR.exe
  • vshwin32.exe
  • VSHWIN32.exe
  • VSSCAN40
  • vsstat.exe
  • WEBSCAN.exe
  • WEBSCANX.exe
  • webtrap.exe
  • WFINDV32.exe
  • windowsÓĹ»Ż´óʦ.exe
  • wink.exe
  • zonealarm.exe
  • ZONEALARM.exe

The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file:

  • 127.0.0.1       v.onondown.com.cn
  • 127.0.0.2       ymsdasdw1.cn
  • 127.0.0.3       h96b.info
  • 127.0.0.0       fuck.zttwp.cn
  • 127.0.0.0       www.hackerbf.cn
  • 127.0.0.0       geekbyfeng.cn
  • 127.0.0.0       121.14.101.68
  • 127.0.0.0       ppp.etimes888.com
  • 127.0.0.0       www.bypk.com
  • 127.0.0.0       CSC3-2004-crl.verisign.com
  • 127.0.0.1       va9sdhun23.cn
  • 127.0.0.0       udp.hjob123.com
  • 127.0.0.2       bnasnd83nd.cn
  • 127.0.0.0       www.gamehacker.com.cn
  • 127.0.0.0       gamehacker.com.cn
  • 127.0.0.3       adlaji.cn
  • 127.0.0.1       858656.com
  • 127.1.1.1       bnasnd83nd.cn
  • 127.0.0.1       my123.com
  • 127.0.0.0       user1.12-27.net
  • 127.0.0.1       8749.com
  • 127.0.0.0       fengent.cn
  • 127.0.0.1       4199.com
  • 127.0.0.1       user1.16-22.net
  • 127.0.0.1       7379.com
  • 127.0.0.1       2be37c5f.3f6e2cc5f0b.com
  • 127.0.0.1       7255.com
  • 127.0.0.1       user1.23-12.net
  • 127.0.0.1       3448.com
  • 127.0.0.1       www.guccia.net
  • 127.0.0.1       7939.com
  • 127.0.0.1       a.o1o1o1.nEt
  • 127.0.0.1       8009.com
  • 127.0.0.1       user1.12-73.cn
  • 127.0.0.1       piaoxue.com
  • 127.0.0.1       3n8nlasd.cn
  • 127.0.0.1       kzdh.com
  • 127.0.0.0       www.sony888.cn
  • 127.0.0.1       about.blank.la
  • 127.0.0.0       user1.asp-33.cn
  • 127.0.0.1       6781.com
  • 127.0.0.0       www.netkwek.cn
  • 127.0.0.1       7322.com
  • 127.0.0.0       ymsdkad6.cn
  • 127.0.0.1       localhost
  • 127.0.0.0       www.lkwueir.cn
  • 127.0.0.1       06.jacai.com
  • 127.0.1.1       user1.23-17.net
  • 127.0.0.1       1.jopenkk.com
  • 127.0.0.0       upa.luzhiai.net
  • 127.0.0.1       1.jopenqc.com
  • 127.0.0.0       www.guccia.net
  • 127.0.0.1       1.joppnqq.com
  • 127.0.0.0       4m9mnlmi.cn
  • 127.0.0.1       1.xqhgm.com
  • 127.0.0.0       mm119mkssd.cn
  • 127.0.0.1       100.332233.com
  • 127.0.0.0       61.128.171.115:8080
  • 127.0.0.1       121.11.90.79
  • 127.0.0.0       www.1119111.com
  • 127.0.0.1       121565.net
  • 127.0.0.0       win.nihao69.cn
  • 127.0.0.1       125.90.88.38
  • 127.0.0.1       16888.6to23.com
  • 127.0.0.1       2.joppnqq.com
  • 127.0.0.0       puc.lianxiac.net
  • 127.0.0.1       204.177.92.68
  • 127.0.0.0       pud.lianxiac.net
  • 127.0.0.1       210.74.145.236
  • 127.0.0.0       210.76.0.133
  • 127.0.0.1       219.129.239.220
  • 127.0.0.0       61.166.32.2
  • 127.0.0.1       219.153.40.221
  • 127.0.0.0       218.92.186.27
  • 127.0.0.1       219.153.46.27
  • 127.0.0.0       www.fsfsfag.cn
  • 127.0.0.1       219.153.52.123
  • 127.0.0.0       ovo.ovovov.cn
  • 127.0.0.1       221.195.42.71
  • 127.0.0.0       dw.com.com
  • 127.0.0.1       222.73.218.115
  • 127.0.0.1       203.110.168.233:80
  • 127.0.0.1       3.joppnqq.com
  • 127.0.0.1       203.110.168.221:80
  • 127.0.0.1       363xx.com
  • 127.0.0.1       www1.ip10086.com.cm
  • 127.0.0.1       4199.com
  • 127.0.0.1       blog.ip10086.com.cn
  • 127.0.0.1       43242.com
  • 127.0.0.1       www.ccji68.cn
  • 127.0.0.1       5.xqhgm.com
  • 127.0.0.0       t.myblank.cn
  • 127.0.0.1       520.mm5208.com
  • 127.0.0.0       x.myblank.cn
  • 127.0.0.1       59.34.131.54
  • 127.0.0.1       210.51.45.5
  • 127.0.0.1       59.34.198.228
  • 127.0.0.1       www.ew1q.cn
  • 127.0.0.1       59.34.198.88
  • 127.0.0.1       59.34.198.97
  • 127.0.0.1       60.190.114.101
  • 127.0.0.1       60.190.218.34
  • 127.0.0.0       qq-xing.com.cn
  • 127.0.0.1       60.191.124.252
  • 127.0.0.1       61.145.117.212
  • 127.0.0.1       61.157.109.222
  • 127.0.0.1       75.126.3.216
  • 127.0.0.1       75.126.3.217
  • 127.0.0.1       75.126.3.218
  • 127.0.0.0       59.125.231.177:17777
  • 127.0.0.1       75.126.3.220
  • 127.0.0.1       75.126.3.221
  • 127.0.0.1       75.126.3.222
  • 127.0.0.1       772630.com
  • 127.0.0.1       832823.cn
  • 127.0.0.1       8749.com
  • 127.0.0.1       888.jopenqc.com
  • 127.0.0.1       89382.cn
  • 127.0.0.1       8v8.biz
  • 127.0.0.1       97725.com
  • 127.0.0.1       9gg.biz
  • 127.0.0.1       www.9000music.com
  • 127.0.0.1       test.591jx.com
  • 127.0.0.1       a.topxxxx.cn
  • 127.0.0.1       picon.chinaren.com
  • 127.0.0.1       www.5566.net
  • 127.0.0.1       p.qqkx.com
  • 127.0.0.1       news.netandtv.com
  • 127.0.0.1       z.neter888.cn
  • 127.0.0.1       b.myblank.cn
  • 127.0.0.1       wvw.wokutu.com
  • 127.0.0.1       unionch.qyule.com
  • 127.0.0.1       www.qyule.com
  • 127.0.0.1       it.itjc.cn
  • 127.0.0.1       www.linkwww.com
  • 127.0.0.1       vod.kaicn.com
  • 127.0.0.1       www.tx8688.com
  • 127.0.0.1       b.neter888.cn
  • 127.0.0.1       promote.huanqiu.com
  • 127.0.0.1       www.huanqiu.com
  • 127.0.0.1       www.haokanla.com
  • 127.0.0.1       play.unionsky.cn
  • 127.0.0.1       www.52v.com
  • 127.0.0.1       www.gghka.cn
  • 127.0.0.1       icon.ajiang.net
  • 127.0.0.1       new.ete.cn
  • 127.0.0.1       www.stiae.cn
  • 127.0.0.1       o.neter888.cn
  • 127.0.0.1       comm.jinti.com
  • 127.0.0.1       www.google-analytics.com
  • 127.0.0.1       hz.mmstat.com
  • 127.0.0.1       www.game175.cn
  • 127.0.0.1       x.neter888.cn
  • 127.0.0.1       z.neter888.cn
  • 127.0.0.1       p.etimes888.com
  • 127.0.0.1       hx.etimes888.com
  • 127.0.0.1       abc.qqkx.com
  • 127.0.0.1       dm.popdm.cn
  • 127.0.0.1       www.yl9999.com
  • 127.0.0.1       www.dajiadoushe.cn
  • 127.0.0.1       v.onondown.com.cn
  • 127.0.0.1       www.interoo.net
  • 127.0.0.1       bally1.bally-bally.net
  • 127.0.0.1       www.bao5605509.cn
  • 127.0.0.1       www.rty456.cn
  • 127.0.0.1       www.werqwer.cn
  • 127.0.0.1       1.360-1.cn
  • 127.0.0.1       user1.23-16.net
  • 127.0.0.1       www.guccia.net
  • 127.0.0.1       www.interoo.net
  • 127.0.0.1       upa.netsool.net
  • 127.0.0.1       js.users.51.la
  • 127.0.0.1       vip2.51.la
  • 127.0.0.1       web.51.la
  • 127.0.0.1       qq.gong2008.com
  • 127.0.0.1       2008tl.copyip.com
  • 127.0.0.1       tla.laozihuolaile.cn
  • 127.0.0.1       www.tx6868.cn
  • 127.0.0.1       p001.tiloaiai.com
  • 127.0.0.1       s1.tl8tl.com
  • 127.0.0.1       s1.gong2008.com
  • 127.0.0.1       4b3ce56f9g.3f6e2cc5f0b.com
  • 127.0.0.1       2be37c5f.3f6e2cc5f0b.com

This blocks access to several Internet servers.


The worm may create copies of the following files (source, destination):

  • %system%\­drivers\­gm.dls, %windir%\­temp\­explorer.exe

The worm launches the following processes:

  • cmd /c cacls %windir% /e /p everyone:f
  • cmd /c cacls "%temp%\­" /e /p everyone:f
  • cmd /c sc config ekrn start= disabled
  • cmd /c taskkill /im ekrn.exe /f
  • cmd /c taskkill /im egui.exe /f
  • cmd /c sc config avp start= disabled
  • cmd /c taskkill /f /im avp.exe
  • cmd /c taskkill /im ScanFrm.exe /f
  • rundll32.exe func.dll, droqp

The worm contains a list of (3) URLs. It tries to download several files from the addresses. The HTTP protocol is used.


These are stored in the following locations:

  • %filepath%
  • %system%\­drivers\­192yuioealdjfiefjsdfas.txt

A string with variable content is used instead of %filepath% . The files are then executed.


The worm creates copies of the following files (source, destination):

  • %filepath%, %windir%\­setup.exe
  • %filepath%, %drive%\­1.exe

The worm creates and runs a new thread with its own program code within the following processes:

  • avp.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.