Home / malware Trojan.Agent.AJJX
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Agent.AJJX is also known as Trojan-Downloader.Win32.Small.aacq.
Explanation :
When run, this malware will try to remove the following registry keys:
HKLMSoftwareMicrosoftCurrentVersionShellServiceObjectDelayLoad
Name = JavaView
HKLMSoftwareMicrosoftCurrentVersionShellServiceObjectDelayLoad
Name = DesktopWin
These keys were set by a previous version of this malware in order to load one of its components at every system startup.
Then, it will check if it is already installed in the system by searching for a mutex named __DL_CORE4GAEX_MUTEX__. If found it will drop a file named unixxx.bat used to delete itself. Otherwise, it will drop a file named msgmr.dll in %ProgramFiles%Messenger folder (if the folder doesn't exist, it will be created) and creates/sets the following registry keys for the dll to be loaded at every system reboot:
HKCRCLSID{DA191DE0-AA86-4ED0-4B87-293D48B2AE99}InprocServer32
@ = %ProgramFiles%Messengermsgmr.dll
ThreadingModel = Apartment
HKLMSoftwareMicrosoftCurrentVersionShellServiceObjectDelayLoad
msnmsg = {DA191DE0-AA86-4ED0-4B87-293D48B2AE99}
Next, the malware will use the command line
rundll32 "C:Program FilesMessengermsgmr.dll",UIMessage
to execute the code from msgmr.dll and then deletes itself using the same file unixxx.bat presented above.
Then, another file found inside msgmr.dll will be dropped under Framdee.ttf in %WINDOWS%Fonts folder. This component of the malware will create a mutex named __DL_CORE4GAEX_MUTEX__ to make sure that only one copy of the malware is runnig at any time and then it will download the following files in %TEMP% folder:
http://live.[removed].net/moon.gif
http://ftp.[removed].info/moon.gif
http://ftp.[removed].info/moon.asp?action=update&version=%u - when this description was made, this file wasn't found
The files named moon.gif contain links to other malware that will be downloaded and run on user's computer.Last update 21 November 2011