Win32/Agent.QMH [Threat Name] go to Threat

Win32/Agent.QMH [Threat Variant Name]

Category trojan
Size 240128 B
Aliases Backdoor.Win32.Zegost.abzh (Kaspersky)
Short description

Win32/Agent.QMH is a trojan that steals sensitive information. It can be controlled remotely. It uses techniques common for rootkits.


When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­%guid%\­%hardwarespecificidentifier%.exe

A string with variable content is used instead of %hardwarespecificidentifier%, %guid% .

The trojan executes the following files:

  • explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "%hardwarespecificidentifier%" = "%appdata%\­Microsoft\­%guid%\­%hardwarespecificidentifier%.exe"
  • [HKEY_CURRENT_USER\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • "%hardwarespecificidentifier%" = "%appdata%\­Microsoft\­%guid%\­%hardwarespecificidentifier%.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­­Software\­­Microsoft\­­Windows\­­CurrentVersion]
    • "%hardwarespecificidentifier%" = "%guid%"
  • [HKEY_CURRENT_USER\­­Software\­­Microsoft\­­Windows\­­CurrentVersion]
    • "%hardwarespecificidentifier%" = "%guid%"

The trojan may create the following files:

  • %appdata%\­Microsoft\­%guid%\­%hardwarespecificidentifier%.cfg

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The trojan affects the behavior of the following applications:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Opera

The trojan collects the following information:

  • operating system version
  • installed Microsoft Windows patches

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself

The trojan may create the following files:

  • %temp%\­%guid%\­%variable%.exe

A string with variable content is used instead of %variable% .

The trojan hides its presence in the system. It uses techniques common for rootkits.

The trojan hooks the following Windows APIs:

  • NtResumeThread (ntdll.dll)
  • NtCreateFile (ntdll.dll)
  • NtOpenFile (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • NtSetValueKey (ntdll.dll)
  • NtDeleteValueKey (ntdll.dll)
  • NtQueryValueKey (ntdll.dll)
  • NtOpenProcess (ntdll.dll)
  • WSPCloseSocket (mswsock.dll)
  • WSPConnect (mswsock.dll)
  • WSPGetPeerName (mswsock.dll)
  • InternetOpenW (wininet.dll)
  • InternetOpenA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetConnectA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • InternetSetStatusCallbackW (wininet.dll)
  • InternetSetStatusCallbackA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • HttpEndRequestW (wininet.dll)
  • HttpEndRequestA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • HttpQueryInfoW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpAddRequestHeadersW (wininet.dll)
  • HttpAddRequestHeadersA (wininet.dll)

The trojan opens some ports:

  • 32767
  • 32768

Please enable Javascript to ensure correct displaying of this content and refresh this page.