Win32/PSW.Agent.NGX [Threat Name] go to Threat

Win32/PSW.Agent.NGX [Threat Variant Name]

Category trojan
Size 96256 B
Detection created Dec 18, 2007
Detection database version 2730
Aliases Trojan.MulDrop.7050 (Dr.Web)
  Trojan.horse.PSW.Agent.RJS (Grisoft)
  Trojan.PSW.Win32.WoWar.agz (Rising)
Short description

Win32/PSW.Agent.NGX is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following folder:

  • %temp%\­IXP%variable%.TMP

The executables of the trojan are copied there using the following names:

  • lese.exe (22580 B)
  • mm.exe (10240 B)

The variable %variable% represents a variable 3 digit number.


The following files are dropped into the %system% folder:

  • XunLeiBHO_001.dll (65541 B)
  • kbass1p.dll (15872 B)

Libraries with the following names are injected into all running processes:

  • kbass1p.dll

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Thunder\­CLSID]
    • "(Default)" = "{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Thunder]
    • "(Default)" = "Thunder Browser Helper"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Thunder.1\­CLSID]
    • "(Default)" = "{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Thunder.1]
    • "(Default)" = "Thunder Browser Helper"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Thunder\­CurVer]
    • "(Default)" = "Thunder.1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}]
    • "(Default)" = "Thunder Browser Helper"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}\­InprocServer32]
    • "(Default)" = "%system%\­XunLeiBHO_001.dll"
    • "ThreadingModel" = "Both"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}\­ProgID]
    • "(Default)" = "Thunder.1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}\­TypeLib]
    • "(Default)" = "{840DD6BB-C734-4361-89E9-E3D6DE0AE38A}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{840DD6BB-C734-4361-89E9-E3D6DE0AE38A}\­1.0]
    • "(Default)" = "GetHtmlPwd 1.0 Type Library"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{840DD6BB-C734-4361-89E9-E3D6DE0AE38A}\­1.0\­0\­win32]
    • "(Default)" = "%system%\­XunLeiBHO_001.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{840DD6BB-C734-4361-89E9-E3D6DE0AE38A}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{840DD6BB-C734-4361-89E9-E3D6DE0AE38A}\­1.0\­HELPDIR]
    • "(Default)" = "%system%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{63B2D652-EAD9-4D6E-93ED-2CC51D22CF02}\­VersionIndependentProgID]
    • "(Default)" = "Thunder.Browser.Helper"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellExecuteHooks]
    • "{9C0ADB68-353A-61DD-ED09-1D8003A6D1CB}" = ""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{9C0ADB68-353A-61DD-ED09-1D8003A6D1CB}\­InProcServer32]
    • "(Default)" = "%system%\­kbass1p.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{A271618B-8C99-49BF-817A-DFFF5A624B36}]
    • "(Default)" = "IGetPwd"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{A271618B-8C99-49BF-817A-DFFF5A624B36}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{A271618B-8C99-49BF-817A-DFFF5A624B36}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{A271618B-8C99-49BF-817A-DFFF5A624B36}\­TypeLib]
    • "(Default)" = "{840DD6BB-C734-4361-89E9-E3D6DE0AE38A}"
    • "Version" = "1.0"
Information stealing

The trojan is able to log keystrokes.


The trojan collects information related to the on-line game World Of Warcraft .


The trojan can send the information to a remote machine.


The trojan contains an URL address. The HTTP protocol is used.

Other information

The trojan creates the following files:

  • %temp%\­IXP%variable%.TMP\­iog.bat
  • %temp%\­IXP%variable%.TMP\­cmdd.bat
  • %temp%\­htba

The following files are deleted:

  • %system%\­drivers\­etc\­hosts

The trojan terminates processes with any of the following strings in the name:

  • QQLiveUpdate.exe

The trojan interferes with the operation of some security applications to avoid detection.


The trojan mutes the Master Volume control of the sound device.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "wextract_cleanup%number%" = "rundll32.exe %system%\­advpack.dll,DelNodeRunDLL32 "%temp%\­IXP%variable%.TMP\­""

The %number% represents a random number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.