Home / malware Trojan.PWS.Agent.SGD
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.PWS.Agent.SGD is also known as Trojan-GameThief.Win32.OnLineGames.tpnr, PWS-Mmorpg.gen, TR/Agent.14336.49, Trojan.Siggen.337.
Explanation :
The malware drops the following files:
1) %windir%system32hbqqxx.dll
- this .dll will be injected in all the running processes and it will try to steal sensitive information, such as user accounts and passwords for the Tencent QQ instant messaging program
2) %windir%system32system.exe
3) %windir%system32drivershbkernel32.sys
- a service named HBKernel32 will be created and will be started at every system startup
- will set the registry key:
HKLMSystemCurrentControlSetServicesHBKernel32
ImagePath -> %windir%system32driversHBKernel32.sys
- the NTSetValueKey entry in the System Service Descriptor Table will be hooked to point to code from this file
4) c:documents and settings\%user_name%local settings empselfdel.bat
- this is a batch script that will delete the original malware file after it completes its tasks
After dropping these files, the trojan will run system.exe and selfdel.bat.
System.exe will perform the following registry operations:
- will add itself to the registry key to run at every system startup:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HBService32 -> System.exe
- will set
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows
AppInit_DLLs -> HBmhly.dll, HB1000Y.dll, HBWOOOL.dll, HBXY2.dll, HBJXSJ.dll, HBSO2.dll, HBFS2.dll, HBXY3.dll, HBSHQ.dll, HBFY.dll, HBWULIN2.dll, HBW2I.dll, HBKDXY.dll, HBWORLD2.dll, HBASKTAO.dll, HBZHUXIAN.dll, HBWOW.dll, HBZERO.dll, HBBO.dll, HBCONQUER.dll, HBSOUL.dll, HBCHIBI.dll, HBDNF.dll, HBWARLORDS.dll, HBTL.dll, HBPICKCHINA.dll, HBCT.dll, HBGC.dll, HBHM.dll, HBHX2.dll, HBQQHX.dll, HBTW2.dll, HBQQSG.dll, HBQQFFO.dll, HBZT.dll, HBMIR2.dll, HBRXJH.dll, HBYY.dll, HBMXD.dll, HBSQ.dll, HBTJ.dll, HBFHZL.dll, HBWLQX.dll, HBLYFX.dll, HBR2.dll, HBCHD.dll, HBTZ.dll, HBQQXX.dll, HBWD.dll, HBZG.dll, HBPPBL.dll, HBXMJ.dll, HBJTLQ.dll, HBQJSJ.dll
- will remove the entries:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
360Safetray
360Safebox
which belong to a Chinese antivirus.
System.exe will be run as a process accessible only from kernel mode. If trying to kill this process with task manager, an error will occur.Last update 21 November 2011