Win32/AutoRun.Agent.PG [Threat Name] go to Threat

Win32/AutoRun.Agent.PG [Threat Variant Name]

Category	worm
Size	32169 B
Aliases	Trojan-Dropper.Win32.Mudrop.bnj (Kaspersky)
	Trojan.Dropper (Symantec)
	TrojanDownloader:Win32/Dogkild.O (Microsoft)

Short description

Win32/AutoRun.Agent.PG is a worm that spreads by copying itself into the root folders of available drives. The file is run-time compressed using NsPack .

Installation

When executed, the worm creates the following files:

%windir%\phpq.dll (45568 B)
%system%\func.dll (38400 B)
%system%\drivers\pcidump.sys (11904 B)

The worm attempts to replace the following files with a copy of itself:

%system%\drivers\acpiec.sys

Installs the following system drivers:

%system%\drivers\acpiec.sys (14080 B)
%system%\drivers\pcidump.sys (11904 B)

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "pcidump"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000]
- "Service" = "pcidump"
- "Legacy" = 1
- "ConfigFlags" = 0
- "Class" = "LegacyDriver"
- "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc" = "pcidump"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP]
- "NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control]
- "*NewlyCreated*" = 0
- "ActiveService" = "UPDATEDATA"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000]
- "Service = "UPDATEDATA"
- "Legacy = 1
- "ConfigFlags = 0
- "Class = "LegacyDriver"
- "ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- "DeviceDesc = "UPDATEDATA"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA]
- "NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum]
- "0" = "Root\LEGACY_UPDATEDATA\0000"
- "Count" = 1
- "NextInstance" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security]
- "Security" = %hex_value%
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPDATEDATA]
- "Type" = 1
- "Start" = 3
- "ErrorControl" = 0
- "ImagePath" = "%system%\drivers\acpiec.sys"
- "DisplayName" = "UPDATEDATA"

Spreading

Win32/AutoRun.Agent.PG is a worm that spreads by copying itself into the root folders of available drives.

The following filename is used:

%drive%\1.exe

The following file is dropped in the same folder:

autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

network adapter information
malware version
operating system version

The worm can send the information to a remote machine. The HTTP protocol is used.

Other information

The following programs are terminated:

360Safe.exe
360Safebox.exe
360tray.exe
AgentSvr.exe
antiarp.exe
ANTI-TROJAN.exe
antivir.exe
AUTODOWN.exe
AVKSERV.exe
AVPUPD.exe
AVSCHED32.exe
avsynmgr.exe
AVWIN95.exe
CCenter.exe
CFIAUDIT.exe
CFIND.exe
cfinet.exe
cfinet32.exe
DrRtp.exe
DV95.exe
DV95_O.exe
DVP95.exe
egui.exe
ekrn.exe
JED.exe
Kabackreport.exe
kaccore.exe
Kasmain.exe
kav32.exe
kavstart.exe
kissvc.exe
kmailmon.exe
KPFW32.exe
kpfw32.exe
kpfwsvc.exe
KPPMain.exe
KRF.exe
KVMonXP.exe
KVPreScan.exe
kwatch.exe
luall.exe
LUCOMSERVER.exe
mcafee.exe
McNASvc.exe
McProxy.exe
Mcshield.exe
mon.exe
moniker.exe
MOOLIVE.exe
MpfSrv.exe
N32ACAN.exe
navapsvc.exe
navapw32.exe
NAVLU32.exe
NAVNT.exe
navrunr.exe
NAVSCHED.exe
NAVW.exe
NAVW32.exe
navwnt.exe
nod32krn.exe
PCCClient.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccwin98.exe
PCFWALLICON.exe
PERSFW.exe
pop3trap.exe
PpPpWallRun.exe
program.exe
prot.exe
pview95.exe
QQDoctor.exe
ras.exe
Rav.exe
RAV7.exe
rav7win.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
rescue32.exe
Rfw.exe
rfwmain.exe
rfwProxy.exe
rfwsrv.exe
rfwstub.exe
Rsaupd.exe
RsMain.exe
rsnetsvr.exe
rssafety.exe
RsTray.exe
safeboxTray.exe
safeweb.exe
scam32.exe
scan.exe
SCAN32.exe
ScanFrm.exe
SCANPM.exe
scon.exe
SCRSCAN.exe
secu.exe
SERV95.exe
sirc32.exe
SMC.exe
smtpsvc.exe
SPHINX.exe
spy.exe
SWEEP95.exe
TBSCAN.exe
TCA.exe
TDS2-98.exe
TDS2-NT.exe
Tmntsrv.exe
TMOAgent.exe
tmproxy.exe
tmupdito.exe
TSC.exe
UlibCfg.exe
vavrunr.exe
VET95.exe
VETTRAY.exe
vir.exe
VPC32.exe
VSECOMR.exe
vshwin32.exe
VSHWIN32.exe
VSSCAN40
vsstat.exe
WEBSCAN.exe
WEBSCANX.exe
webtrap.exe
WFINDV32.exe
windowsÓĹ»Ż´óĘ¦.exe
wink.exe
zonealarm.exe
ZONEALARM.exe

The worm modifies the following file:

%system%\drivers\etc\hosts

The worm writes the following entries to the file:

127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com

This blocks access to several Internet servers.

The worm may create copies of the following files (source, destination):

%system%\drivers\gm.dls, %windir%\temp\explorer.exe

The worm launches the following processes:

cmd /c cacls %windir% /e /p everyone:f
cmd /c cacls "%temp%\" /e /p everyone:f
cmd /c sc config ekrn start= disabled
cmd /c taskkill /im ekrn.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c sc config avp start= disabled
cmd /c taskkill /f /im avp.exe
cmd /c taskkill /im ScanFrm.exe /f
rundll32.exe func.dll, droqp

The worm contains a list of (3) URLs. It tries to download several files from the addresses. The HTTP protocol is used.

These are stored in the following locations:

%filepath%
%system%\drivers\192yuioealdjfiefjsdfas.txt

A string with variable content is used instead of %filepath% . The files are then executed.

The worm creates copies of the following files (source, destination):

%filepath%, %windir%\setup.exe
%filepath%, %drive%\1.exe

The worm creates and runs a new thread with its own program code within the following processes:

avp.exe