Win32/Agent.QKJ [Threat Name] go to Threat

Win32/Agent.QKJ [Threat Variant Name]

Category trojan
Size 36864 B
Aliases BackDoor.Siggen.58193 (Dr.Web)
  Sf:Zbot-CQ (Avast)
Short description

The trojan serves as a proxy server.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %system%\­csrss.exe
  • %appdata%\­csrss.exe
  • %system%\­rundll32.exe
  • %appdata%\­rundll32.exe
  • %system%\­svchost.exe
  • %appdata%\­svchost.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Client Server Runtime Process" = "%installfolder%\­csrss.exe"
    • "Host-process Windows (Rundll32.exe)" = "%installfolder%\­rundll32.exe"
    • "Service Host Process for Windows" = "%installfolder%\­svchost.exe"

This causes the trojan to be executed on every system start.

Other information

The trojan serves as a proxy server.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) IP addresses. The TCP protocol is used.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • smtp.gmail.com:25
  • plus.smtp.mail.yahoo.com:25

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Software\­Microsoft\­Shared Police\­MachineParamCPUU]

Please enable Javascript to ensure correct displaying of this content and refresh this page.