Win32/Agent.PKH [Threat Name] go to Threat
Win32/Agent.PKH [Threat Variant Name]
Category | trojan |
Size | 14848 B |
Aliases | Trojan-Downloader.Win32.Small.jqv (Kaspersky) |
W32.Tidserv.G (Symantec) | |
Trojan.PWS.IpDiscover (Dr.Web) |
Short description
Win32/Agent.PKH is a trojan which modifies the behavior of network routers.
Installation
The trojan does not create any copies of itself.
The following Registry entries are set:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
- "iexplore.exe" = ""
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
- "iexplore.exe" = ""
Other information
Win32/Agent.PKH is a trojan which modifies the behavior of network routers.
The trojan executes a "DNS cache poisoning" attack, which can cause redirection of network traffic to the attacker's web sites.
The trojan connects to the following addresses:
- %address%/wizard.htm
- %address%/home.asp
- %address%/dlink/hwiz.html
- %address%/index.asp
- %address%
%address% represents the IP address of the router in the local network .
The listed addresses are the addresses of web configuration interfaces of common routers.
The following list of logins is used (name:password):
- 11111:x-admin
- 1234:1234
- 1500:and 2000 Series
- 1502:1502
- aaa:often blank
- Admin:
- admin:
- admin:0
- admin:1111
- admin:123
- admin:1234
- admin:12345
- Admin:123456
- admin:123456
- admin:1234admin
- admin:2222
- admin:22222
- admin:access
- Admin:admin
- admin:admin
- admin:admin123
- admin:administrator
- admin:adslolitec
- admin:adslroot
- admin:articon
- admin:asante
- admin:Ascend
- admin:asd
- admin:atlantis
- admin:barricade
- admin:bintec
- admin:comcomcom
- admin:default
- admin:draadloos
- admin:epicrouter
- admin:extendnet
- admin:hagpolm1
- admin:hello
- admin:hp.com
- admin:changeme
- admin:imss7.0
- admin:ironport
- admin:isee
- admin:leviton
- admin:linga
- admin:microbusiness
- admin:michelangelo
- admin:motorola
- admin:mu
- admin:my_DEMARC
- admin:netadmin
- admin:NetCache
- admin:NetSurvibox
- admin:noway
- admin:OCS
- admin:OkiLAN
- admin:operator
- admin:P@55w0rd!
- admin:Password
- admin:password
- admin:passwort
- admin:pfsense
- admin:Protector
- admin:q1w2e3
- admin:rmnetlm
- admin:secure
- admin:setup
- admin:Sharp
- admin:smallbusiness
- admin:smcadmin
- admin:switch
- admin:symbol
- admin:synnet
- admin:sysAdmin
- admin:w2402
- admin:x-admin
- admin2:changeme
- Administrator:
- administrator:
- Administrator:3ware
- Administrator:admin
- ADMINISTRATOR:ADMINISTRATOR
- Administrator:ganteng
- Administrator:changeme
- Administrator:password
- Administrator:pilou
- Administrator:smcadmin
- adminstat:OCS
- adminstrator:changeme
- adminttd:adminttd
- adminuser:OCS
- adminview:OCS
- ADMN:admn
- ADSL:expert03
- ADVMAIL:HP
- ADVMAIL:HPOFFICE DATA
- ami:
- Any:12345
- apc:apc
- cablecom:router
- cac_admin:cacadmin
- ccrusr:ccrusr
- cellit:cellit
- cisco:
- Cisco:Cisco
- CISCO15:otbu+1
- citel:password
- comcast:
- comcast:1234
- craft:
- CSG:SESAME
- cusadmin:highspeed
- customer:none
- dadmin:dadmin01
- davox:davox
- deskalt:password
- deskman:changeme
- desknorm:password
- deskres:password
- device:device
- diag:danger
- disttech:4tas
- e250:e250changeme
- e500:e500changeme
- Factory:56789
- FIELD:HPONLY
- FIELD:HPP187 SYS
- FIELD:LOTUS.FIELD:HPWORD PUB
- FIELD:MANAGER
- FIELD:MGR
- FIELD:SERVICE
- FIELD:SUPPORT
- Gearguy:Geardog
- GEN1:gen1
- GEN2:gen2
- guest:
- guest:guest
- HELLO:FIELD.SUPPORT
- HELLO:MANAGER.SYS
- HELLO:MGR.SYS
- HELLO:OP.OPERATOR
- helpdesk:OCS
- hsa:hsadb
- HTTP:HTTP
- images:images
- install:secret
- installer:installer
- intel:intel
- intermec:intermec
- IntraStack:Asante
- IntraSwitch:Asante
- isp:isp
- jagadmin:
- l2:l2
- l3:l3
- login:access
- login:admin
- m1122:m1122
- MAIL:HPOFFICE
- MAIL:MAIL
- MAIL:MPE
- MAIL:REMOTE
- MAIL:TELESUP
- maint:maint
- maint:ntacdmax
- manage:!manage
- Manager:
- manager:admin
- MANAGER:COGNOS
- manager:friend
- Manager:friend
- MANAGER:HPOFFICE
- manager:change_on_install
- MANAGER:ITF3000
- manager:manager
- MANAGER:SECURITY
- MANAGER:SYS
- MANAGER:TELESUP
- MANAGER:TCH
- manuf:xxyyzz
- MDaemon:MServer
- mediator:mediator
- MGR:CAROLIAN
- MGR:CCC
- MGR:CNAS
- MGR:COGNOS
- MGR:CONV
- MGR:HPDESK
- MGR:HPOFFICE
- MGR:HPONLY
- MGR:HPP187
- MGR:HPP189
- MGR:HPP196
- MGR:INTX3
- MGR:ITF3000
- MGR:NETBASE
- MGR:REGO
- MGR:RJE
- MGR:ROBELLE
- MGR:SECURITY
- MGR:SYS
- MGR:TELESUP
- MGR:VESOFT
- MGR:WORD
- MGR:XLSERVER
- MICRO:RSX
- mlusr:mlusr
- monitor:monitor
- mso:w0rkplac3rul3s
- naadmin:naadmin
- NAU:NAU
- netadmin:nimdaten
- netman:
- netrangr:attack
- netscreen:netscreen
- NICONEX:NICONEX
- none:0
- none:admin
- operator:
- operator:$chwarzepumpe
- OPERATOR:COGNOS
- OPERATOR:DISC
- operator:operator
- OPERATOR:SUPPORT
- OPERATOR:SYS
- OPERATOR:SYSTEM
- patrol:patrol
- PCUSER:SYS
- piranha:piranha
- piranha:q
- Polycom:456
- Polycom:SpIp
- PRODDTA:PRODDTA
- public:
- public:public
- radware:radware
- readonly:lucenttech2
- readwrite:lucenttech1
- replicator:replicator
- RMUser1:password
- ro:ro
- Root:
- root:
- root:0P3N
- root:1234
- root:12345
- root:3ep5w2u
- root:admin
- root:admin_1
- root:ascend
- root:attack
- root:blender
- root:calvin
- root:Cisco
- root:davox
- root:default
- root:fivranne
- root:changeme
- root:iDirect
- root:Mau'dib
- root:pass
- root:password
- root:root
- root:tslinux
- RSBCMON:SYS
- rw:rw
- rwa:rwa
- scmadmin:scmchangeme
- scout:scout
- security:security
- Service:5678
- service:smile
- setup:changeme
- setup:setup
- smc:smcadmin
- SPOOLMAN:HPOFFICE
- SSA:SSA
- storwatch:specialist
- stratacom:stratauser
- super.super:
- super.super:master
- super:5777364
- super:super
- superadmin:secret
- superman:21241036
- superman:talent
- superuser:admin
- supervisor:
- supervisor:PlsChgMe
- supervisor:supervisor
- support:h179350
- support:support
- sys:uplink
- SYSADM:sysadm
- sysadmin:PASS
- sysadmin:password
- SYSDBA:masterkey
- system:password
- system:sys
- teacher:password
- telecom:telecom
- tellabs:tellabs#1
- temp1:password
- tiara:tiaranet
- tiger:tiger123
- TMAR#HWMT8007079:
- topicalt:password
- topicnorm:password
- topicres:password
- user:
- user:password
- user:tivonpw
- user:user
- USERID:PASSW0RD
- vcr:NetVCR
- vt100:public
- webadmin:1234
- webadmin:webadmin
- websecadm:changeme
- wlse:wlsedb
- WP:HPOFFICE
- wradmin:trancell
- xd:xd
- zxc:cascade
The HTTP protocol is used.
The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (2) URLs.
The trojan connects to the following addresses:
- www.infersearch.com
The trojan launches the following processes:
- iexplore.exe (Internet Explorer)