Internet threat level: 1
Read us on
Home→Descriptions→Trojan.Win32.Agent.dbyy
Trojan.Win32.Agent.dbyy
| Detected | Nov 13 2009 03:49 GMT |
| Released | Nov 13 2009 08:36 GMT |
| Published | Mar 24 2011 13:54 GMT |
Technical Details
Payload
Removal instructions
Payload
Removal instructions
Technical Details
This worm creates copies of itself on local disks and write-accessible removable disks. It is a Windows application (PE EXE file). It is 172 050 bytes in size. It is written in Delphi.
Installation
Once launched, the worm copies its body to the following files:
%System%\wuauolts.exe %Program Files%\mosss.exeThe file "wuauolts.exe" is then launched for execution.
To automatically launch the file "mosss.exe" each time the system is rebooted, the following shortcut is created:
%ProgramData%\Microsoft\Windows\Start Menu\Programs\ Startup\iajsd.lnkIn addition, executable code is injected into the address space of the process "WINLOGON.EXE" to hinder deletion of the files "mosss.exe" and "iajsd.lnk".
Propagation
The worm copies its body to all write-accessible disk partitions and removable disks connected to the infected computer:
<name of infected partition>:\QGS.exeAlong with the copy of itself, the worm places the following file in the root directory of the infected disk:
<name of infected partition>:\AutoRun.infwith the following content:
[AutoRun] shell\o pen=+?ê(&O) shell\open\Command=QGS.exe shell\open\Default=1 shell\explore=+L+-Lý?(&X) shell\explore\Command=QGS.exeThis file enables the worm to launch itself each time the user accesses the infected partition using Explorer.
Hidden and system attributes are assigned to the files that are created. In addition, the worm browses the content of the root directory of the infected removable disk and in it creates copies of itself with names corresponding to the names of the directories it finds. At the same time, hidden attributes are assigned to the directories it finds.
Payload
Once launched, the worm carries out the following actions:
- It modifies the following system registry key values:
[HKCR\exefile] "NeverShowExt" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\Advanced] "ShowSuperHidden" = "0" [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = "0" [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ Advanced\Folder\SuperHidden] "Type" = "checkbox2"
Thereby, the extensions of .exe files are hidden, while hidden files are prevented from being displayed in Windows Explorer. - It discharges the following processes from the system memory:
safeboxTray.exe 360Safe.exe 360safebox.exe 360tray.exe RsMain.exe RavTask.exe rfwmain.exe pfw.exe RavMonD.exe Rav.exe RavMon.exe RsTray.exe FYFireWall.exe KavPFW.exe rsnetsvr.exe DSMain.exe ras.exe rstry.exe knownsvr.exe ScanFrm.exe CCenter.exe 360rpt.exe RAVTIMER.EXE rfwsrv.exe avconsol.exe avsynmgr.exe alogserv.exe Navapsvc.exe rtvscan.exe vptray.exe vshwin32.exe vsmon.exe vsstat.exe webscanx.exe ccRegVfy.exe KAVPlus.EXE KWatchUI.EXE KPopMon.EXE KULANSyn.EXE KAVSvc.EXE KAVStart.exe KMailMon.EXE KPfwSvc.EXE KWatch.EXE NPFMntor.exe RavStub.exe TrojDie.kxp avp.exe
To do this, it uses the following driver, which is extracted from the worm's body: %System%\drivers\BGS.sys (1984 bytes; detected by Kaspersky Anti-Virus as "Rootkit.Win32.Small.aoo") - It deletes the following files:
%System%\RavExt.dll %System%\bsmain.exe
- It blocks the launching of several antivirus programs, by creating system registry keys:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\
In all, 46 keys are created. The substring "] "Debugger" = "ntsd -d" " takes the following values: safeboxTray.exe 360Safe.exe 360safebox.exe 360tray.exe RsMain.exe RavTask.exe rfwmain.exe pfw.exe RavMonD.exe Rav.exe RavMon.exe RsTray.exe FYFireWall.exe KavPFW.exe rsnetsvr.exe DSMain.exe ras.exe rstry.exe knownsvr.exe ScanFrm.exe CCenter.exe 360rpt.exe RAVTIMER.EXE rfwsrv.exe avconsol.exe avsynmgr.exe alogserv.exe Navapsvc.exe rtvscan.exe vptray.exe vshwin32.exe vsmon.exe vsstat.exe webscanx.exe ccRegVfy.exe KAVPlus.EXE KWatchUI.EXE KPopMon.EXE KULANSyn.EXE KAVSvc.EXE KAVStart.exe KMailMon.EXE KPfwSvc.EXE KWatch.EXE NPFMntor.exe
- It creates the following system registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Installer] "QDS" = "ofhrb" [HKLM\Software\Microsoft\Tracing\wuauolts_RASAPI32] "EnableFileTracing" = "0" "EnableConsoleTracing" = "0" "FileTracingMask" = "4294901760" "ConsoleTracingMask" = "4294901760" "MaxFileSize" = "1048576" "FileDirectory" = "%windir%\tracing" [HKLM\Software\Microsoft\Tracing\wuauolts_RASMANCS] "EnableFileTracing" = "0" "EnableConsoleTracing" = "0" "FileTracingMask" = "4294901760" "ConsoleTracingMask" = "4294901760" "MaxFileSize" = "1048576" "FileDirectory" = "%windir%\tracing" [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ HideDesktopIcons\NewStartPanel] "{871C5380-42A0-1069-A2EA-08002B30309D}" = "1" [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ HideDesktopIcons\ClassicStartMenu] "{871C5380-42A0-1069-A2EA-08002B30309D}" = "1"- It modifies the file:
%System%\drivers\etc\hosts entering the following strings into it: 127.0.0.1 www.iq123.com 127.0.0.1 www.yijidh.com 127.0.0.1 www.250dh.cn 127.0.0.1 www.223.la 127.0.0.1 www.kuku123.com 127.0.0.1 www.930930.com 127.0.0.1 www.7999.com 127.0.0.1 www.9123.com 127.0.0.1 www.hao123e.com 127.0.0.1 www.020.com 127.0.0.1 www.sosote.com 127.0.0.1 www.uu108.com 127.0.0.1 www.yao.la 127.0.0.1 www.youxi777.com 127.0.0.1 www.1616.net 127.0.0.1 www.1188.com 127.0.0.1 www.9605.com 127.0.0.1 05505.cn 127.0.0.1 7055.net 127.0.0.1 www.0056.com 127.0.0.1 www.6655.com 127.0.0.1 www.1166.com 127.0.0.1 www.5kip.com 127.0.0.1 www.114xia.com 127.0.0.1 www.pp55.com 127.0.0.1 www.265dh.com 127.0.0.1 www.3567.com 127.0.0.1 www.6565.cn 127.0.0.1 www.666t.com 127.0.0.1 www.9223.com 127.0.0.1 www.dduu.com 127.0.0.1 www.hao123.cn 127.0.0.1 5snow.com 127.0.0.1 www.2523.com 127.0.0.1 www.5599.net 127.0.0.1 www.tt98.com 127.0.0.1 www.zhaodao123.com 127.0.0.1 www.www.kuhao123.com 127.0.0.1 www.5151la.net 127.0.0.1 www.3567.com 127.0.0.1 www.6h.com.cn 127.0.0.1 www.zeibi.com 127.0.0.1 www.6e8e.com 127.0.0.1 www.th123.com 127.0.0.1 www.hao123ol.com 127.0.0.1 www.wu123.com 127.0.0.1 www.t220.cn 127.0.0.1 www.ttver.net 127.0.0.1 www.188HI.com 127.0.0.1 www.2523.com 127.0.0.1 www.go2000.com 127.0.0.1 www.5igb.com 127.0.0.1 www.bb2000.net 127.0.0.1 www.9wa.com 127.0.0.1 www.qq5.com 127.0.0.1 www.365j.com 127.0.0.1 www.7345.com 127.0.0.1 www.2760.com 127.0.0.1 www.361la.com 127.0.0.1 www.haojs.com 127.0.0.1 www.5zd.com 127.0.0.1 www.i8866.com 127.0.0.1 www.100wz.com 127.0.0.1 www.114hi.com 127.0.0.1 www.234.la 127.0.0.1 www.657.com 127.0.0.1 www.339.la 127.0.0.1 www.365wz.net 127.0.0.1 www.71314.com 127.0.0.1 www.7792.com 127.0.0.1 www.9495.com 127.0.0.1 www.dazuimao.com 127.0.0.1 www.71314.com 127.0.0.1 www.gouwo.com 127.0.0.1 www.huai456.com 127.0.0.1 www.ku256.com 127.0.0.1 www.my180.com 127.0.0.1 www.2522.cn 127.0.0.1 www.405.cn 127.0.0.1 www.44244.com 127.0.0.1 www.111dh.com 127.0.0.1 www.115ku.com 127.0.0.1 www.13387.com 127.0.0.1 www.163yes.com 127.0.0.1 www.2523.com 127.0.0.1 www.256s.com 127.0.0.1 www.2676.com 127.0.0.1 www.3355.net 127.0.0.1 www.365lo.com 127.0.0.1 www.4168.com 127.0.0.1 www.4545.cn 127.0.0.1 www.4688.com 127.0.0.1 www.566.net 127.0.0.1 www.5666.net 127.0.0.1 www.5733.com 127.0.0.1 www.6461.cn 127.0.0.1 www.7356.com 127.0.0.1 www.800186.com 127.0.0.1 www.85851.com 127.0.0.1 www.asp51.com 127.0.0.1 www.361dh.com 127.0.0.1 www.5566.net 127.0.0.1 www.yulinweb.com 127.0.0.1 www.6296.com.cn 127.0.0.1 www.mianfeia.com 127.0.0.1 www.ai1234.com 127.0.0.1 www.k369.com 127.0.0.1 www.msncn.com 127.0.0.1 www.ss256.com 127.0.0.1 www.min513.com 127.0.0.1 www.88-888.com 127.0.0.1 www.lggg.cn 127.0.0.1 www.7771.cn 127.0.0.1 www.leeboo.com 127.0.0.1 www.jjol.cn 127.0.0.1 www.5566.com 127.0.0.1 www.9166.net 127.0.0.1 www.hao253.com 127.0.0.1 mx.1616.net 127.0.0.1 www.7b.com.cn 127.0.0.1 www.haoei.com 127.0.0.1 www.21310.cn 127.0.0.1 www.weiduomei.net 127.0.0.1 www.kuku123.com 127.0.0.1 www.kk3000.cn 127.0.0.1 www.th123.com 127.0.0.1 www.7241.cn 127.0.0.1 www.44384.com 127.0.0.1 www.3567.com 127.0.0.1 www.930930.com 127.0.0.1 www.131.cc 127.0.0.1 www.223224.com 127.0.0.1 www.537.com 127.0.0.1 www.9348.cn 127.0.0.1 www.bju123.cn 127.0.0.1 www.hao123ol.com 127.0.0.1 www.i4455.com 127.0.0.1 www.asp51.com 127.0.0.1 www.f127.com 127.0.0.1 www.jia123.com 127.0.0.1 www.0666.com.cn 127.0.0.1 www.5599.net 127.0.0.1 www.365j.com 127.0.0.1 www.553.la 127.0.0.1 www.5566.org 127.0.0.1 www.37021.com 127.0.0.1 www.88488.com 127.0.0.1 www.99986.net 127.0.0.1 www.37021.net 127.0.0.1 www.k986.com 127.0.0.1 www.cc62.com 127.0.0.1 www.5518.cn 127.0.0.1 www.55620.com 127.0.0.1 www.52416.com 127.0.0.1 www.7357.cn 127.0.0.1 www.8c8c.net 127.0.0.1 www.9999q.com 127.0.0.1 www.123shi123.com 127.0.0.1 www.yl234.cn 127.0.0.1 www.3322.com 127.0.0.1 www.hao222.com 127.0.0.1 www.6313.com 127.0.0.1 www.i4455.com 127.0.0.1 www.f127.com 127.0.0.1 www.5599cn.cn 127.0.0.1 www.99499.com 127.0.0.1 www.2548.cn 127.0.0.1 www.133.net 127.0.0.1 www.ie30.com 127.0.0.1 www.8751.com 127.0.0.1 www.8751.com 127.0.0.1 www.7241.cn 127.0.0.1 www.160dh.com 127.0.0.1 www.114115.com 127.0.0.1 www.1322.cn 127.0.0.1 www.hh361.com 127.0.0.1 www.2800.cc 127.0.0.1 www.52daohang.com 127.0.0.1 www.186.me 127.0.0.1 www.diyidh.com
Thereby, access to the listed resources is blocked.- It extracts the following library from its body:
%System%\iajsd.dll
(17 920 bytes; detected by Kaspersky Anti-Virus as "not-a-virus:Monitor.Win32.ActualSpy.27") and injects this library's executable code into the address space of all processes launched in the system. The worm uses the extracted library to install a system hook to call the function "NtQuerySystemInformation()", thereby hiding its process from the Task Manager's list of processes.- It creates the following shortcuts:
%USERPROFILE%\Desktop\Internet Explorer.lnk %USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\ Quick Launch\Internet Explorer.lnk
Both shortcuts point to the object:"%Program Files%\Internet Explorer\iexplore.exe" http://i.163vv.com
- It references the resources:
www.a***ifen.com www.b***du.com
- It creates the following system registry keys:
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, use Kaspersky Anti-Virus to delete it: perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Trojan
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Other versions
Aliases
Trojan.
- Virus:
W32/Emerleox. worm (McAfee) - Mal/Emogen-E (Sophos)
- Trojan.
Siggen. 40386 (DrWeb) - Gen:
Trojan. Heur. kSX@rTNasLlbb (BitDef7) - Backdoor.
Agent. QBQQ (VirusBuster) - Win32:
Malware-gen (AVAST) - Trojan.
Win32. Agent (Ikarus) - BDS/Backdoor.
Gen (AVIRA) - Infostealer (NAV)
- Worm.
Win32. AutoRun. tlp (Rising) - Trojan.
Win32. Agent. dbyy [AVP] (FSecure) - Backdoor.
Agent. QBQQ (VirusBusterBeta)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.