Win32/Agent.PKH [Threat Name] go to Threat

Win32/Agent.PKH [Threat Variant Name]

Category	trojan
Size	14848 B
Aliases	Trojan-Downloader.Win32.Small.jqv (Kaspersky)
	W32.Tidserv.G (Symantec)
	Trojan.PWS.IpDiscover (Dr.Web)

Short description

Win32/Agent.PKH is a trojan which modifies the behavior of network routers.

Installation

The trojan does not create any copies of itself.

The following Registry entries are set:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
- "iexplore.exe" = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
- "iexplore.exe" = ""

Other information

Win32/Agent.PKH is a trojan which modifies the behavior of network routers.

The trojan executes a "DNS cache poisoning" attack, which can cause redirection of network traffic to the attacker's web sites.

The trojan connects to the following addresses:

%address%/wizard.htm
%address%/home.asp
%address%/dlink/hwiz.html
%address%/index.asp
%address%

%address% represents the IP address of the router in the local network .

The listed addresses are the addresses of web configuration interfaces of common routers.

The following list of logins is used (name:password):

11111:x-admin
1234:1234
1500:and 2000 Series
1502:1502
aaa:often blank
Admin:
admin:
admin:0
admin:1111
admin:123
admin:1234
admin:12345
Admin:123456
admin:123456
admin:1234admin
admin:2222
admin:22222
admin:access
Admin:admin
admin:admin
admin:admin123
admin:administrator
admin:adslolitec
admin:adslroot
admin:articon
admin:asante
admin:Ascend
admin:asd
admin:atlantis
admin:barricade
admin:bintec
admin:comcomcom
admin:default
admin:draadloos
admin:epicrouter
admin:extendnet
admin:hagpolm1
admin:hello
admin:hp.com
admin:changeme
admin:imss7.0
admin:ironport
admin:isee
admin:leviton
admin:linga
admin:microbusiness
admin:michelangelo
admin:motorola
admin:mu
admin:my_DEMARC
admin:netadmin
admin:NetCache
admin:NetSurvibox
admin:noway
admin:OCS
admin:OkiLAN
admin:operator
admin:P@55w0rd!
admin:Password
admin:password
admin:passwort
admin:pfsense
admin:Protector
admin:q1w2e3
admin:rmnetlm
admin:secure
admin:setup
admin:Sharp
admin:smallbusiness
admin:smcadmin
admin:switch
admin:symbol
admin:synnet
admin:sysAdmin
admin:w2402
admin:x-admin
admin2:changeme
Administrator:
administrator:
Administrator:3ware
Administrator:admin
ADMINISTRATOR:ADMINISTRATOR
Administrator:ganteng
Administrator:changeme
Administrator:password
Administrator:pilou
Administrator:smcadmin
adminstat:OCS
adminstrator:changeme
adminttd:adminttd
adminuser:OCS
adminview:OCS
ADMN:admn
ADSL:expert03
ADVMAIL:HP
ADVMAIL:HPOFFICE DATA
ami:
Any:12345
apc:apc
cablecom:router
cac_admin:cacadmin
ccrusr:ccrusr
cellit:cellit
cisco:
Cisco:Cisco
CISCO15:otbu+1
citel:password
comcast:
comcast:1234
craft:
CSG:SESAME
cusadmin:highspeed
customer:none
dadmin:dadmin01
davox:davox
deskalt:password
deskman:changeme
desknorm:password
deskres:password
device:device
diag:danger
disttech:4tas
e250:e250changeme
e500:e500changeme
Factory:56789
FIELD:HPONLY
FIELD:HPP187 SYS
FIELD:LOTUS.FIELD:HPWORD PUB
FIELD:MANAGER
FIELD:MGR
FIELD:SERVICE
FIELD:SUPPORT
Gearguy:Geardog
GEN1:gen1
GEN2:gen2
guest:
guest:guest
HELLO:FIELD.SUPPORT
HELLO:MANAGER.SYS
HELLO:MGR.SYS
HELLO:OP.OPERATOR
helpdesk:OCS
hsa:hsadb
HTTP:HTTP
images:images
install:secret
installer:installer
intel:intel
intermec:intermec
IntraStack:Asante
IntraSwitch:Asante
isp:isp
jagadmin:
l2:l2
l3:l3
login:access
login:admin
m1122:m1122
MAIL:HPOFFICE
MAIL:MAIL
MAIL:MPE
MAIL:REMOTE
MAIL:TELESUP
maint:maint
maint:ntacdmax
manage:!manage
Manager:
manager:admin
MANAGER:COGNOS
manager:friend
Manager:friend
MANAGER:HPOFFICE
manager:change_on_install
MANAGER:ITF3000
manager:manager
MANAGER:SECURITY
MANAGER:SYS
MANAGER:TELESUP
MANAGER:TCH
manuf:xxyyzz
MDaemon:MServer
mediator:mediator
MGR:CAROLIAN
MGR:CCC
MGR:CNAS
MGR:COGNOS
MGR:CONV
MGR:HPDESK
MGR:HPOFFICE
MGR:HPONLY
MGR:HPP187
MGR:HPP189
MGR:HPP196
MGR:INTX3
MGR:ITF3000
MGR:NETBASE
MGR:REGO
MGR:RJE
MGR:ROBELLE
MGR:SECURITY
MGR:SYS
MGR:TELESUP
MGR:VESOFT
MGR:WORD
MGR:XLSERVER
MICRO:RSX
mlusr:mlusr
monitor:monitor
mso:w0rkplac3rul3s
naadmin:naadmin
NAU:NAU
netadmin:nimdaten
netman:
netrangr:attack
netscreen:netscreen
NICONEX:NICONEX
none:0
none:admin
operator:
operator:$chwarzepumpe
OPERATOR:COGNOS
OPERATOR:DISC
operator:operator
OPERATOR:SUPPORT
OPERATOR:SYS
OPERATOR:SYSTEM
patrol:patrol
PCUSER:SYS
piranha:piranha
piranha:q
Polycom:456
Polycom:SpIp
PRODDTA:PRODDTA
public:
public:public
radware:radware
readonly:lucenttech2
readwrite:lucenttech1
replicator:replicator
RMUser1:password
ro:ro
Root:
root:
root:0P3N
root:1234
root:12345
root:3ep5w2u
root:admin
root:admin_1
root:ascend
root:attack
root:blender
root:calvin
root:Cisco
root:davox
root:default
root:fivranne
root:changeme
root:iDirect
root:Mau'dib
root:pass
root:password
root:root
root:tslinux
RSBCMON:SYS
rw:rw
rwa:rwa
scmadmin:scmchangeme
scout:scout
security:security
Service:5678
service:smile
setup:changeme
setup:setup
smc:smcadmin
SPOOLMAN:HPOFFICE
SSA:SSA
storwatch:specialist
stratacom:stratauser
super.super:
super.super:master
super:5777364
super:super
superadmin:secret
superman:21241036
superman:talent
superuser:admin
supervisor:
supervisor:PlsChgMe
supervisor:supervisor
support:h179350
support:support
sys:uplink
SYSADM:sysadm
sysadmin:PASS
sysadmin:password
SYSDBA:masterkey
system:password
system:sys
teacher:password
telecom:telecom
tellabs:tellabs#1
temp1:password
tiara:tiaranet
tiger:tiger123
TMAR#HWMT8007079:
topicalt:password
topicnorm:password
topicres:password
user:
user:password
user:tivonpw
user:user
USERID:PASSW0RD
vcr:NetVCR
vt100:public
webadmin:1234
webadmin:webadmin
websecadm:changeme
wlse:wlsedb
WP:HPOFFICE
wradmin:trancell
xd:xd
zxc:cascade

The HTTP protocol is used.

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (2) URLs.

The trojan connects to the following addresses:

www.infersearch.com

The trojan launches the following processes:

iexplore.exe (Internet Explorer)