MSIL/Agent.QXU [Threat Name] go to Threat

MSIL/Agent.QXU [Threat Variant Name]

Category trojan
Size 284762 B
Detection created Dec 19, 2015
Detection database version 12749
Aliases Trojan.Siggen6.40727 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates one of the following files:

  • %windir%\­CRMSvc.exe (269312 B, MSIL/Agent.QXU)
  • %programfiles%\­CRMSvc\­CRMSvc.exe (269312 B, MSIL/Agent.QXU)

The trojan registers file as a system service.


This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­{D105DFE2-8DF6-4BA0-ABF1-392716658963}]
    • "DisplayName" = "CRMSvc"
    • "DisplayVersion" = "1.5.45.468"
    • "EstimatedSize" = 278
    • "InstallDate" = "%variable1%"
    • "InstallLocation" = "%installfolder%"
    • "NoModify" = 1
    • "NoRepair" = 1
    • "Publisher" = "CRM Ltd"
    • "QuietUninstallString" = "%installfolder%\­CRMSvc.exe --uninst"
    • "UninstallString" = "%installfolder%\­CRMSvc.exe --uninst"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­CRMSvc]
    • "uid" = "%variable2%"

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • operating system version
  • malware version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The TCP, HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • set up a proxy server
  • send gathered information

The trojan may execute the following commands:

  • cmd.exe /C netsh firewall delete allowedprogram "%installfolder%\­CRMSvc.exe"
  • cmd.exe /C netsh firewall add allowedprogram "%installfolder%\­CRMSvc.exe" CRMSvc ENABLE
  • cmd.exe /C netsh advfirewall firewall delete rule name="CRMSvc"
  • cmd.exe /C netsh advfirewall firewall add rule name="CRMSvc" dir=in action=allow program="%installfolder%\­CRMSvc.exe" enable=yes"
  • sc.exe failure "CRMSvc" reset=2 actions=restart/10000

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.