English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent.dbyy

Detected Nov 13 2009 03:49 GMT
Released Nov 13 2009 08:36 GMT
Published Mar 24 2011 13:54 GMT

Technical Details
Payload
Removal instructions

Technical Details

This worm creates copies of itself on local disks and write-accessible removable disks. It is a Windows application (PE EXE file). It is 172 050 bytes in size. It is written in Delphi.

Installation

Once launched, the worm copies its body to the following files:

%System%\wuauolts.exe
%Program Files%\mosss.exe
The file "wuauolts.exe" is then launched for execution.

To automatically launch the file "mosss.exe" each time the system is rebooted, the following shortcut is created:

%ProgramData%\Microsoft\Windows\Start Menu\Programs\
Startup\iajsd.lnk
In addition, executable code is injected into the address space of the process "WINLOGON.EXE" to hinder deletion of the files "mosss.exe" and "iajsd.lnk".

Propagation

The worm copies its body to all write-accessible disk partitions and removable disks connected to the infected computer:

<name of infected partition>:\QGS.exe
Along with the copy of itself, the worm places the following file in the root directory of the infected disk:
<name of infected partition>:\AutoRun.inf
with the following content:
[AutoRun]
shell\o
pen=+?ê(&O)
shell\open\Command=QGS.exe
shell\open\Default=1
shell\explore=+L+-Lý?(&X)
shell\explore\Command=QGS.exe
This file enables the worm to launch itself each time the user accesses the infected partition using Explorer.

Hidden and system attributes are assigned to the files that are created. In addition, the worm browses the content of the root directory of the infected removable disk and in it creates copies of itself with names corresponding to the names of the directories it finds. At the same time, hidden attributes are assigned to the directories it finds.


Payload

Once launched, the worm carries out the following actions:

  • It modifies the following system registry key values:
    [HKCR\exefile]
    "NeverShowExt" = "1"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced]
    "ShowSuperHidden" = "0"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue" = "0"
    
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced\Folder\SuperHidden]
    "Type" = "checkbox2"
    
    Thereby, the extensions of .exe files are hidden, while hidden files are prevented from being displayed in Windows Explorer.
  • It discharges the following processes from the system memory:
    safeboxTray.exe 
    360Safe.exe 
    360safebox.exe  
    360tray.exe 
    RsMain.exe  
    RavTask.exe 
    rfwmain.exe 
    pfw.exe 
    RavMonD.exe 
    Rav.exe 
    RavMon.exe  
    RsTray.exe  
    FYFireWall.exe  
    KavPFW.exe  
    rsnetsvr.exe    
    DSMain.exe  
    ras.exe 
    rstry.exe   
    knownsvr.exe    
    ScanFrm.exe 
    CCenter.exe 
    360rpt.exe  
    RAVTIMER.EXE    
    rfwsrv.exe  
    avconsol.exe    
    avsynmgr.exe    
    alogserv.exe    
    Navapsvc.exe    
    rtvscan.exe 
    vptray.exe  
    vshwin32.exe    
    vsmon.exe   
    vsstat.exe  
    webscanx.exe    
    ccRegVfy.exe    
    KAVPlus.EXE 
    KWatchUI.EXE    
    KPopMon.EXE 
    KULANSyn.EXE    
    KAVSvc.EXE  
    KAVStart.exe    
    KMailMon.EXE    
    KPfwSvc.EXE 
    KWatch.EXE  
    NPFMntor.exe    
    RavStub.exe 
    TrojDie.kxp 
    avp.exe
    
    To do this, it uses the following driver, which is extracted from the worm's body: %System%\drivers\BGS.sys (1984 bytes; detected by Kaspersky Anti-Virus as "Rootkit.Win32.Small.aoo")
  • It deletes the following files:
    %System%\RavExt.dll
    %System%\bsmain.exe 
    
  • It blocks the launching of several antivirus programs, by creating system registry keys:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\]
    "Debugger" = "ntsd -d"
    
    In all, 46 keys are created. The substring "" takes the following values:
    safeboxTray.exe
    360Safe.exe
    360safebox.exe
    360tray.exe
    RsMain.exe
    RavTask.exe
    rfwmain.exe
    pfw.exe
    RavMonD.exe
    Rav.exe
    RavMon.exe
    RsTray.exe
    FYFireWall.exe
    KavPFW.exe
    rsnetsvr.exe
    DSMain.exe
    ras.exe
    rstry.exe
    knownsvr.exe
    ScanFrm.exe
    CCenter.exe
    360rpt.exe
    RAVTIMER.EXE
    rfwsrv.exe
    avconsol.exe
    avsynmgr.exe
    alogserv.exe
    Navapsvc.exe
    rtvscan.exe
    vptray.exe
    vshwin32.exe
    vsmon.exe
    vsstat.exe
    webscanx.exe
    ccRegVfy.exe
    KAVPlus.EXE
    KWatchUI.EXE
    KPopMon.EXE
    KULANSyn.EXE
    KAVSvc.EXE
    KAVStart.exe
    KMailMon.EXE
    KPfwSvc.EXE
    KWatch.EXE
    NPFMntor.exe
    
  • It creates the following system registry keys:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Installer]
    "QDS" = "ofhrb"
    
    [HKLM\Software\Microsoft\Tracing\wuauolts_RASAPI32]
    "EnableFileTracing" = "0"
    "EnableConsoleTracing" = "0"
    "FileTracingMask" = "4294901760"
    "ConsoleTracingMask" = "4294901760"
    "MaxFileSize" = "1048576"
    "FileDirectory" = "%windir%\tracing"
    
    [HKLM\Software\Microsoft\Tracing\wuauolts_RASMANCS]
    "EnableFileTracing" = "0"
    "EnableConsoleTracing" = "0"
    "FileTracingMask" = "4294901760"
    "ConsoleTracingMask" = "4294901760"
    "MaxFileSize" = "1048576"
    "FileDirectory" = "%windir%\tracing"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
    HideDesktopIcons\NewStartPanel]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = "1"
    
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
    HideDesktopIcons\ClassicStartMenu]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = "1"
    
  • It modifies the file:
    %System%\drivers\etc\hosts
    entering the following strings into it:
    127.0.0.1 www.iq123.com
    127.0.0.1 www.yijidh.com
    127.0.0.1 www.250dh.cn
    127.0.0.1 www.223.la
    127.0.0.1 www.kuku123.com
    127.0.0.1 www.930930.com
    127.0.0.1 www.7999.com
    127.0.0.1 www.9123.com
    127.0.0.1 www.hao123e.com
    127.0.0.1 www.020.com
    127.0.0.1 www.sosote.com
    127.0.0.1 www.uu108.com
    127.0.0.1 www.yao.la
    127.0.0.1 www.youxi777.com
    127.0.0.1 www.1616.net
    127.0.0.1 www.1188.com
    127.0.0.1 www.9605.com
    127.0.0.1 05505.cn
    127.0.0.1 7055.net
    127.0.0.1 www.0056.com
    127.0.0.1 www.6655.com
    127.0.0.1 www.1166.com
    127.0.0.1 www.5kip.com
    127.0.0.1 www.114xia.com
    127.0.0.1 www.pp55.com
    127.0.0.1 www.265dh.com
    127.0.0.1 www.3567.com
    127.0.0.1 www.6565.cn
    127.0.0.1 www.666t.com
    127.0.0.1 www.9223.com
    127.0.0.1 www.dduu.com
    127.0.0.1 www.hao123.cn
    127.0.0.1 5snow.com
    127.0.0.1 www.2523.com
    127.0.0.1 www.5599.net
    127.0.0.1 www.tt98.com
    127.0.0.1 www.zhaodao123.com
    127.0.0.1 www.www.kuhao123.com
    127.0.0.1 www.5151la.net
    127.0.0.1 www.3567.com
    127.0.0.1 www.6h.com.cn
    127.0.0.1 www.zeibi.com
    127.0.0.1 www.6e8e.com
    127.0.0.1 www.th123.com
    127.0.0.1 www.hao123ol.com
    127.0.0.1 www.wu123.com
    127.0.0.1 www.t220.cn
    127.0.0.1 www.ttver.net
    127.0.0.1 www.188HI.com
    127.0.0.1 www.2523.com
    127.0.0.1 www.go2000.com
    127.0.0.1 www.5igb.com
    127.0.0.1 www.bb2000.net
    127.0.0.1 www.9wa.com
    127.0.0.1 www.qq5.com
    127.0.0.1 www.365j.com
    127.0.0.1 www.7345.com
    127.0.0.1 www.2760.com
    127.0.0.1 www.361la.com
    127.0.0.1 www.haojs.com
    127.0.0.1 www.5zd.com
    127.0.0.1 www.i8866.com
    127.0.0.1 www.100wz.com
    127.0.0.1 www.114hi.com
    127.0.0.1 www.234.la 
    127.0.0.1 www.657.com
    127.0.0.1 www.339.la
    127.0.0.1 www.365wz.net
    127.0.0.1 www.71314.com
    127.0.0.1 www.7792.com
    127.0.0.1 www.9495.com
    127.0.0.1 www.dazuimao.com
    127.0.0.1 www.71314.com
    127.0.0.1 www.gouwo.com
    127.0.0.1 www.huai456.com
    127.0.0.1 www.ku256.com
    127.0.0.1 www.my180.com
    127.0.0.1 www.2522.cn
    127.0.0.1 www.405.cn
    127.0.0.1 www.44244.com
    127.0.0.1 www.111dh.com
    127.0.0.1 www.115ku.com
    127.0.0.1 www.13387.com
    127.0.0.1 www.163yes.com
    127.0.0.1 www.2523.com
    127.0.0.1 www.256s.com
    127.0.0.1 www.2676.com
    127.0.0.1 www.3355.net
    127.0.0.1 www.365lo.com
    127.0.0.1 www.4168.com
    127.0.0.1 www.4545.cn
    127.0.0.1 www.4688.com
    127.0.0.1 www.566.net
    127.0.0.1 www.5666.net
    127.0.0.1 www.5733.com
    127.0.0.1 www.6461.cn
    127.0.0.1 www.7356.com
    127.0.0.1 www.800186.com
    127.0.0.1 www.85851.com
    127.0.0.1 www.asp51.com
    127.0.0.1 www.361dh.com
    127.0.0.1 www.5566.net
    127.0.0.1 www.yulinweb.com
    127.0.0.1 www.6296.com.cn
    127.0.0.1 www.mianfeia.com
    127.0.0.1 www.ai1234.com
    127.0.0.1 www.k369.com
    127.0.0.1 www.msncn.com
    127.0.0.1 www.ss256.com
    127.0.0.1 www.min513.com
    127.0.0.1 www.88-888.com
    127.0.0.1 www.lggg.cn
    127.0.0.1 www.7771.cn
    127.0.0.1 www.leeboo.com
    127.0.0.1 www.jjol.cn
    127.0.0.1 www.5566.com
    127.0.0.1 www.9166.net
    127.0.0.1 www.hao253.com 
    127.0.0.1 mx.1616.net
    127.0.0.1 www.7b.com.cn
    127.0.0.1 www.haoei.com
    127.0.0.1 www.21310.cn
    127.0.0.1 www.weiduomei.net
    127.0.0.1 www.kuku123.com
    127.0.0.1 www.kk3000.cn
    127.0.0.1 www.th123.com
    127.0.0.1 www.7241.cn
    127.0.0.1 www.44384.com
    127.0.0.1 www.3567.com
    127.0.0.1 www.930930.com
    127.0.0.1 www.131.cc
    127.0.0.1 www.223224.com
    127.0.0.1 www.537.com
    127.0.0.1 www.9348.cn
    127.0.0.1 www.bju123.cn
    127.0.0.1 www.hao123ol.com
    127.0.0.1 www.i4455.com
    127.0.0.1 www.asp51.com
    127.0.0.1 www.f127.com
    127.0.0.1 www.jia123.com
    127.0.0.1 www.0666.com.cn
    127.0.0.1 www.5599.net
    127.0.0.1 www.365j.com
    127.0.0.1 www.553.la
    127.0.0.1 www.5566.org
    127.0.0.1 www.37021.com
    127.0.0.1 www.88488.com
    127.0.0.1 www.99986.net
    127.0.0.1 www.37021.net
    127.0.0.1 www.k986.com
    127.0.0.1 www.cc62.com
    127.0.0.1 www.5518.cn
    127.0.0.1 www.55620.com
    127.0.0.1 www.52416.com
    127.0.0.1 www.7357.cn
    127.0.0.1 www.8c8c.net
    127.0.0.1 www.9999q.com
    127.0.0.1 www.123shi123.com
    127.0.0.1 www.yl234.cn
    127.0.0.1 www.3322.com
    127.0.0.1 www.hao222.com
    127.0.0.1 www.6313.com
    127.0.0.1 www.i4455.com
    127.0.0.1 www.f127.com
    127.0.0.1 www.5599cn.cn
    127.0.0.1 www.99499.com
    127.0.0.1 www.2548.cn
    127.0.0.1 www.133.net
    127.0.0.1 www.ie30.com
    127.0.0.1 www.8751.com
    127.0.0.1 www.8751.com
    127.0.0.1 www.7241.cn
    127.0.0.1 www.160dh.com
    127.0.0.1 www.114115.com
    127.0.0.1 www.1322.cn
    127.0.0.1 www.hh361.com
    127.0.0.1 www.2800.cc
    127.0.0.1 www.52daohang.com
    127.0.0.1 www.186.me
    127.0.0.1 www.diyidh.com
    
    Thereby, access to the listed resources is blocked.
  • It extracts the following library from its body:
    %System%\iajsd.dll
    (17 920 bytes; detected by Kaspersky Anti-Virus as "not-a-virus:Monitor.Win32.ActualSpy.27") and injects this library's executable code into the address space of all processes launched in the system. The worm uses the extracted library to install a system hook to call the function "NtQuerySystemInformation()", thereby hiding its process from the Task Manager's list of processes.
  • It creates the following shortcuts:
    %USERPROFILE%\Desktop\Internet Explorer.lnk
    %USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\
    Quick 
    Launch\Internet Explorer.lnk
    
    Both shortcuts point to the object:
    "%Program Files%\Internet Explorer\iexplore.exe" 
    http://i.163vv.com
    
  • It references the resources:
    www.a***ifen.com
    www.b***du.com
    


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, use Kaspersky Anti-Virus to delete it: perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent.dbyy (Kaspersky Lab) is also known as:

  • Virus: W32/Emerleox.worm (McAfee)
  • Mal/Emogen-E (Sophos)
  • Trojan.Siggen.40386 (DrWeb)
  • Gen:Trojan.Heur.kSX@rTNasLlbb (BitDef7)
  • Backdoor.Agent.QBQQ (VirusBuster)
  • Win32:Malware-gen (AVAST)
  • Trojan.Win32.Agent (Ikarus)
  • BDS/Backdoor.Gen (AVIRA)
  • Infostealer (NAV)
  • Worm.Win32.AutoRun.tlp (Rising)
  • Trojan.Win32.Agent.dbyy [AVP] (FSecure)
  • Backdoor.Agent.QBQQ (VirusBusterBeta)