Win32/AutoRun.Agent.AQX [Threat Name] go to Threat

Win32/AutoRun.Agent.AQX [Threat Variant Name]

Category worm
Size 147456 B
Aliases BackDoor.Cybergate.3497 (Dr.Web)
  Rogue:W32/FakeAv.BI (F-Secure)
Short description

Win32/AutoRun.Agent.AQX is a worm that spreads via removable media. The worm collects various sensitive information. The worm attempts to send gathered information to a remote machine.


The worm may create copies of itself using the following filenames:

  • %windir%\­system32\­mswinvks.exe
  • %appdata%\­mswinvks.exe
  • %temp%\­%variable1%.exe
  • %appdata%\­%variable1%.exe
  • %variable2%\­%variable1%.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe %malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­%variable4%]
    • "StubPath" = ""%malwarefilepath%" -ac"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe,%malwarefilepath%"

A string with variable content is used instead of %variable1-4% .

The following files may be dropped:

  • %windir%\­system32\­mswins.DLL
  • %windir%\­system32\­mswins.sys
  • %temp%\­mswins.DLL
  • %temp%\­mswins.sys

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­Software\­Program Groups]
    • "71608288" = "71608288"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0

Win32/AutoRun.Agent.AQX is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following name:

  • msw0vks.exe

The worm creates the following file:

  • %removabledrive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted.

The worm infects CD/DVD media by copying itself into the system directory that acts as a staging area for files waiting to be written to a CD/DVD.

Information stealing

The worm collects the following information:

  • computer name
  • user name
  • operating system version
  • installed antivirus software
  • installed firewall application
  • information about the operating system and system settings
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • logged keystrokes

The worm collects information related to the following applications:

  • Microsoft Internet Explorer
  • Microsoft MSN Messenger
  • Mozilla Firefox
  • Filezilla
  • FlashFXP

The worm is able to log keystrokes.

The collected information is stored in the following files:

  • %windir%\­system32\­mswins.DLL
  • %temp%\­mswins.DLL

The worm attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The worm can detect presence of debuggers and other analytical tools.

The worm terminates processes with any of the following strings in the name:

  • aports.exe
  • dumpcap.exe
  • ethereal.exe
  • ettercap.exe
  • filemon.exe
  • gmer.exe
  • procmon.exe
  • procx.exe
  • regmon.exe
  • taskmgr.exe
  • wireshark.exe

Worm can detect presence of virtual environments and sandboxes.

The worm performs no action if any of the following applications is detected:

  • VMWare
  • QEMU
  • Virtual Box
  • Virtual PC
  • Sandboxie
  • Anubis
  • Joe Sandbox
  • CWSandbox
  • PopUpKiller
  • SyserDebugger
  • SoftICE

The worm can create and run a new thread with its own program code within the following processes:

  • iexplore.exe

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • log keystrokes
  • send gathered information

The malware configuration is passed as command line parameters or read from the file when the malware executable is launched.

The worm may attempt to download files from the Internet.

The files are stored in the following locations:

  • %temp%\­temp0z.exe
  • %temp%\­tmpZ%variable%.exe

The files are then executed.

The worm may execute the following commands:

  • cmd /c REG ADD HKLM\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  • cmd /c REG ADD HKLM\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­AuthorizedApplications\­List /v "%windir%\­system32\­mswinvks.exe" /t REG_SZ /d "%windir%\­system32\­mswinvks.exe:*:Enabled:Windows Messanger" /f

The performed command creates an exception in the Windows Firewall.

Please enable Javascript to ensure correct displaying of this content and refresh this page.