Win32/Agent.QME [Threat Name] go to Threat

Win32/Agent.QME [Threat Variant Name]

Category trojan
Size 348556 B
Detection created Dec 10, 2009
Detection database version 10143
Aliases Trojan-Dropper.Win32.Injector.kjtx (Kaspersky)
  Win32/Remhead!gmb (Microsoft)
Short description

Win32/Agent.QME is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe
  • chrome.exe
  • firefox.exe

The trojan may create copies of itself using the following filenames:

  • %appdata%\­%variable%.tmp

A string with variable content is used instead of %variable% .

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "wmnotify" = "rundll32.exe %appdata%\­%variable%.tmp NfInitialize"

This way the trojan ensures that the file is executed on every system start.

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­%guid1%\­ShellFolder]
  • [HKEY_CURRENT_USER\­­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­%guid2%\­ShellFolder]
  • [HKEY_CURRENT_USER\­­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­%guid3%\­ShellFolder]
  • [HKEY_CURRENT_USER\­­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­%guid4%\­ShellFolder]
  • [HKEY_CURRENT_USER\­­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­%guid5%\­ShellFolder]
  • [HKEY_CURRENT_USER\­­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­%guid6%\­ShellFolder]

A string with variable content is used instead of %guid1-6% .

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The trojan collects the following information:

  • information about the operating system and system settings
  • cookies
  • digital certificates
  • screenshots

The following programs are affected:

  • Internet Explorer
  • Google Chrome
  • Mozilla Firefox

The trojan may redirect the user to the attacker's web sites.

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (8) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • delete cookies
  • send the list of files on a specific drive to a remote computer
  • make operating system unbootable

Win32/Agent.QME is a trojan that interferes with the operation of some security applications.

The following programs are affected:

  • Trusteer Rapport

The trojan hooks the following Windows APIs:

  • TranslateMessage(user32.dll)
  • CryptGetUserKey (advapi32.dll)
  • WSAEnumNetworkEvents (ws2_32.dll)
  • WSAEventSelect (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • InternetOpenUrlA (winInet.dll)
  • InternetOpenUrlW (winInet.dll)
  • InternetSetStatusCallbackA (winInet.dll)
  • InternetSetStatusCallbackW (winInet.dll)
  • InternetOpenA (winInet.dll)
  • InternetOpenW (winInet.dll)
  • InternetConnectA (winInet.dll)
  • InternetConnectW (winInet.dll)
  • HttpOpenRequestA (winInet.dll)
  • HttpOpenRequestW (winInet.dll)
  • HttpSendRequestA (winInet.dll)
  • HttpSendRequestW (winInet.dll)
  • InternetQueryOptionA (winInet.dll)
  • InternetQueryOptionW (winInet.dll)
  • InternetSetOptionA (winInet.dll)
  • InternetSetOptionW (winInet.dll)
  • HttpQueryInfoA (winInet.dll)
  • HttpQueryInfoW (winInet.dll)
  • InternetQueryDataAvailable (winInet.dll)
  • InternetReadFile (winInet.dll)
  • InternetReadFileExA (winInet.dll)
  • InternetReadFileExW (winInet.dll)
  • InternetCloseHandle (winInet.dll)
  • PR_Read (nspr4.dll/nss3.dll)
  • PR_Write (nspr4.dll/nss3.dll)
  • PR_Close (nspr4.dll/nss3.dll)
  • %variousapi% (chrome.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.