Win32/Agent.PKH [Threat Name] go to Threat

Win32/Agent.PKH [Threat Variant Name]

Category trojan
Size 14848 B
Aliases Trojan-Downloader.Win32.Small.jqv (Kaspersky)
  W32.Tidserv.G (Symantec)
  Trojan.PWS.IpDiscover (Dr.Web)
Short description

Win32/Agent.PKH is a trojan which modifies the behavior of network routers.

Installation

The trojan does not create any copies of itself.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­MAIN\­FeatureControl\­FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
    • "iexplore.exe" = ""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­MAIN\­FeatureControl\­FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
    • "iexplore.exe" = ""
Other information

Win32/Agent.PKH is a trojan which modifies the behavior of network routers.


The trojan executes a "DNS cache poisoning" attack, which can cause redirection of network traffic to the attacker's web sites.


The trojan connects to the following addresses:

  • %address%/wizard.htm
  • %address%/home.asp
  • %address%/dlink/hwiz.html
  • %address%/index.asp
  • %address%

%address% represents the IP address of the router in the local network .


The listed addresses are the addresses of web configuration interfaces of common routers.


The following list of logins is used (name:password):

  • 11111:x-admin
  • 1234:1234
  • 1500:and 2000 Series
  • 1502:1502
  • aaa:often blank
  • Admin:
  • admin:
  • admin:0
  • admin:1111
  • admin:123
  • admin:1234
  • admin:12345
  • Admin:123456
  • admin:123456
  • admin:1234admin
  • admin:2222
  • admin:22222
  • admin:access
  • Admin:admin
  • admin:admin
  • admin:admin123
  • admin:administrator
  • admin:adslolitec
  • admin:adslroot
  • admin:articon
  • admin:asante
  • admin:Ascend
  • admin:asd
  • admin:atlantis
  • admin:barricade
  • admin:bintec
  • admin:comcomcom
  • admin:default
  • admin:draadloos
  • admin:epicrouter
  • admin:extendnet
  • admin:hagpolm1
  • admin:hello
  • admin:hp.com
  • admin:changeme
  • admin:imss7.0
  • admin:ironport
  • admin:isee
  • admin:leviton
  • admin:linga
  • admin:microbusiness
  • admin:michelangelo
  • admin:motorola
  • admin:mu
  • admin:my_DEMARC
  • admin:netadmin
  • admin:NetCache
  • admin:NetSurvibox
  • admin:noway
  • admin:OCS
  • admin:OkiLAN
  • admin:operator
  • admin:P@55w0rd!
  • admin:Password
  • admin:password
  • admin:passwort
  • admin:pfsense
  • admin:Protector
  • admin:q1w2e3
  • admin:rmnetlm
  • admin:secure
  • admin:setup
  • admin:Sharp
  • admin:smallbusiness
  • admin:smcadmin
  • admin:switch
  • admin:symbol
  • admin:synnet
  • admin:sysAdmin
  • admin:w2402
  • admin:x-admin
  • admin2:changeme
  • Administrator:
  • administrator:
  • Administrator:3ware
  • Administrator:admin
  • ADMINISTRATOR:ADMINISTRATOR
  • Administrator:ganteng
  • Administrator:changeme
  • Administrator:password
  • Administrator:pilou
  • Administrator:smcadmin
  • adminstat:OCS
  • adminstrator:changeme
  • adminttd:adminttd
  • adminuser:OCS
  • adminview:OCS
  • ADMN:admn
  • ADSL:expert03
  • ADVMAIL:HP
  • ADVMAIL:HPOFFICE DATA
  • ami:
  • Any:12345
  • apc:apc
  • cablecom:router
  • cac_admin:cacadmin
  • ccrusr:ccrusr
  • cellit:cellit
  • cisco:
  • Cisco:Cisco
  • CISCO15:otbu+1
  • citel:password
  • comcast:
  • comcast:1234
  • craft:
  • CSG:SESAME
  • cusadmin:highspeed
  • customer:none
  • dadmin:dadmin01
  • davox:davox
  • deskalt:password
  • deskman:changeme
  • desknorm:password
  • deskres:password
  • device:device
  • diag:danger
  • disttech:4tas
  • e250:e250changeme
  • e500:e500changeme
  • Factory:56789
  • FIELD:HPONLY
  • FIELD:HPP187 SYS
  • FIELD:LOTUS.FIELD:HPWORD PUB
  • FIELD:MANAGER
  • FIELD:MGR
  • FIELD:SERVICE
  • FIELD:SUPPORT
  • Gearguy:Geardog
  • GEN1:gen1
  • GEN2:gen2
  • guest:
  • guest:guest
  • HELLO:FIELD.SUPPORT
  • HELLO:MANAGER.SYS
  • HELLO:MGR.SYS
  • HELLO:OP.OPERATOR
  • helpdesk:OCS
  • hsa:hsadb
  • HTTP:HTTP
  • images:images
  • install:secret
  • installer:installer
  • intel:intel
  • intermec:intermec
  • IntraStack:Asante
  • IntraSwitch:Asante
  • isp:isp
  • jagadmin:
  • l2:l2
  • l3:l3
  • login:access
  • login:admin
  • m1122:m1122
  • MAIL:HPOFFICE
  • MAIL:MAIL
  • MAIL:MPE
  • MAIL:REMOTE
  • MAIL:TELESUP
  • maint:maint
  • maint:ntacdmax
  • manage:!manage
  • Manager:
  • manager:admin
  • MANAGER:COGNOS
  • manager:friend
  • Manager:friend
  • MANAGER:HPOFFICE
  • manager:change_on_install
  • MANAGER:ITF3000
  • manager:manager
  • MANAGER:SECURITY
  • MANAGER:SYS
  • MANAGER:TELESUP
  • MANAGER:TCH
  • manuf:xxyyzz
  • MDaemon:MServer
  • mediator:mediator
  • MGR:CAROLIAN
  • MGR:CCC
  • MGR:CNAS
  • MGR:COGNOS
  • MGR:CONV
  • MGR:HPDESK
  • MGR:HPOFFICE
  • MGR:HPONLY
  • MGR:HPP187
  • MGR:HPP189
  • MGR:HPP196
  • MGR:INTX3
  • MGR:ITF3000
  • MGR:NETBASE
  • MGR:REGO
  • MGR:RJE
  • MGR:ROBELLE
  • MGR:SECURITY
  • MGR:SYS
  • MGR:TELESUP
  • MGR:VESOFT
  • MGR:WORD
  • MGR:XLSERVER
  • MICRO:RSX
  • mlusr:mlusr
  • monitor:monitor
  • mso:w0rkplac3rul3s
  • naadmin:naadmin
  • NAU:NAU
  • netadmin:nimdaten
  • netman:
  • netrangr:attack
  • netscreen:netscreen
  • NICONEX:NICONEX
  • none:0
  • none:admin
  • operator:
  • operator:$chwarzepumpe
  • OPERATOR:COGNOS
  • OPERATOR:DISC
  • operator:operator
  • OPERATOR:SUPPORT
  • OPERATOR:SYS
  • OPERATOR:SYSTEM
  • patrol:patrol
  • PCUSER:SYS
  • piranha:piranha
  • piranha:q
  • Polycom:456
  • Polycom:SpIp
  • PRODDTA:PRODDTA
  • public:
  • public:public
  • radware:radware
  • readonly:lucenttech2
  • readwrite:lucenttech1
  • replicator:replicator
  • RMUser1:password
  • ro:ro
  • Root:
  • root:
  • root:0P3N
  • root:1234
  • root:12345
  • root:3ep5w2u
  • root:admin
  • root:admin_1
  • root:ascend
  • root:attack
  • root:blender
  • root:calvin
  • root:Cisco
  • root:davox
  • root:default
  • root:fivranne
  • root:changeme
  • root:iDirect
  • root:Mau'dib
  • root:pass
  • root:password
  • root:root
  • root:tslinux
  • RSBCMON:SYS
  • rw:rw
  • rwa:rwa
  • scmadmin:scmchangeme
  • scout:scout
  • security:security
  • Service:5678
  • service:smile
  • setup:changeme
  • setup:setup
  • smc:smcadmin
  • SPOOLMAN:HPOFFICE
  • SSA:SSA
  • storwatch:specialist
  • stratacom:stratauser
  • super.super:
  • super.super:master
  • super:5777364
  • super:super
  • superadmin:secret
  • superman:21241036
  • superman:talent
  • superuser:admin
  • supervisor:
  • supervisor:PlsChgMe
  • supervisor:supervisor
  • support:h179350
  • support:support
  • sys:uplink
  • SYSADM:sysadm
  • sysadmin:PASS
  • sysadmin:password
  • SYSDBA:masterkey
  • system:password
  • system:sys
  • teacher:password
  • telecom:telecom
  • tellabs:tellabs#1
  • temp1:password
  • tiara:tiaranet
  • tiger:tiger123
  • TMAR#HWMT8007079:
  • topicalt:password
  • topicnorm:password
  • topicres:password
  • user:
  • user:password
  • user:tivonpw
  • user:user
  • USERID:PASSW0RD
  • vcr:NetVCR
  • vt100:public
  • webadmin:1234
  • webadmin:webadmin
  • websecadm:changeme
  • wlse:wlsedb
  • WP:HPOFFICE
  • wradmin:trancell
  • xd:xd
  • zxc:cascade

The HTTP protocol is used.


The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (2) URLs.


The trojan connects to the following addresses:

  • www.infersearch.com

The trojan launches the following processes:

  • iexplore.exe (Internet Explorer)

Please enable Javascript to ensure correct displaying of this content and refresh this page.