Win32/TrojanDropper.Agent.PEC [Threat Name] go to Threat

Win32/TrojanDropper.Agent.PEC [Threat Variant Name]

Category trojan
Size 151552 B
Aliases Trojan-Dropper.Win32.Agent.egnh (Kaspersky)
  TrojanDropper:Win32/Crenufs.A (Microsoft)
Short description

Win32/TrojanDropper.Agent.PEC is a trojan which tries to promote certain web sites.

Installation

When executed, the trojan creates the following files:

  • %currentfolder%\­%variable%.exe
  • %currentfolder%\­%variable%.exe.bat
  • %currentfolder%\­%variable2%.exe.bat
  • %startup%\­.jse
  • %windir%\­tao.ico
  • %windir%\­system32\­XlKankan.dll

The trojan creates the following folders:

  • %windir%\­%date%\­%variable3%\­script
  • %windir%\­%date%\­%variable4%

The trojan may create the following files in the %windir%\%date%\%variable4% folder:

  • smss.exe
  • smss.exe.bat

The trojan may create the following files in the %windir%\%date%\%variable3%\script folder:

  • script.exe
  • script.exe.bat
  • script.vbs
  • script.vbs.bat
  • reg.bat
  • regBHO.reg
  • XlKankan.dll

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}]
    • "(Default)" = "QvodAdBlocker.xunlei"
  • [HKEY_CLASSES_ROOT\­CLSID\­{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\­InprocServer32]
    • "(Default)" ="%system%\­XlKankan.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\­ProgID]
    • "(Default)" = "QvodAdBlocker.xunlei"
  • [HKEY_CLASSES_ROOT\­CLSID\­{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\­TypeLib]
    • "(Default)" = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\­VERSION]
    • "(Default)" = "1.0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\­1.0]
    • "(Default)" = "QvodAdBlocker"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\­1.0\­0\­win32]
    • "(Default)" = "%windir%\­system32\­XlKankan.dll"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\­1.0\­HELPDIR]
    • "(Default)" = "C:\­WINDOWS\­system32"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­AllTypes\­shell\­open\­command]
    • "(Default)" = "%WinDir%\­%date%\­%variable3%\­script\­script.exe %1"
    • ".ini" = "%value%"
    • ".txt" = "%value%"
  • [HKEY_CLASSES_ROOT\­.ini]
    • "(Default)" = "AllTypes"
  • [HKEY_CLASSES_ROOT\­.txt]
    • "(Default)" = "AllTypes"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "flashget" = "%WinDir%\­%date%\­%variable4%\­smss.exe"

After the installation is complete, the trojan deletes the original executable file.


A string with variable content is used instead of %variable1-4% .

Other information

The trojan may create the text file:

  • %windir%\­userid.txt

The trojan connects to the following addresses:

  • tj.vippin.cn

The trojan collects the following information:

  • network adapter information
  • computer IP address

The trojan attempts to send gathered information to a remote machine.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­SearchScopes]
    • "DefaultScope" = "{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­SearchScopes\­{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}]
    • "URL" = "http://www.mylovewebs.com/api/baidu/so.htm?word={searchTerms}"
    • "FaviconPath" = %localappdata%\­Microsoft\­Internet Explorer\­Services\­search_{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}.ico
    • "SortIndex" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­SearchScopes\­{E140FB5B-2A9D-4FA4-A20F-089B92412200}]
    • "URL" = "http://www.mylovewebs.com/api/taobao/so.htm?word={searchTerms}"
    • "FaviconURL" = "http://www.taobao.com/favicon.ico"
    • "FaviconPath" = "%localappdata%\­Microsoft\­Internet Explorer\­Services\­search_{E140FB5B-2A9D-4FA4-A20F-089B92412200}.ico"
    • "SortIndex" = 6
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­css\­shell\­open\­command]
    • "(Default)" = "C:\­Program Files\­Internet Explorer\­iexplore.exe http://www.zaodezhu.com/?my=%userid.txt%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­HTTP\­shell\­open\­command]
    • "(Default)" = "C:\­Program Files\­Internet Explorer\­iexplore.exe http://www.mylovewebs.com/api/http/index.htm? %1"

The trojan interferes with the operation of some security applications to avoid detection.


The following programs are terminated:

  • 360sd.exe
  • 360tray.exe
  • 360rp.exe
  • 360Safe.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.