Home / malware Trojan.Agent.AAQK
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Agent.AAQK is also known as Troj/FakeAV-CC, W32/Agent.AAQ!tr, Win32/Small.NEB, W32/Agent.GYHC, Trojan.Fakealert.1260.
Explanation :
The malware copies itself to
C:Documents and Settings\local settings emp under the name
__a00[some-hexa-digits].exe
and adds the following registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunA00[some-hexa-digits].exe
C:Documents and Settings\Local SettingsTemp\__a00[some-hexa-digits].exe
Aftewards, the trojan will drop a .dll file (in the directory from where it was run) under its original file name and extension followed by .dat. It will load this dll and will execute it's exported function named A.
Running that code will copy the dll in the system directory (C:windowssystem32) under a name of the form __c00[five-hexa-digits].dat and will set the following registry key:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:WINDOWSsystem32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001
Also, it will create a mutex named vmc_mm and will download a file from a link that was down at the moment this description was made.Last update 21 November 2011
