Home / malware Trojan:JS/Agent.JP
First posted on 19 January 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan:JS/Agent.JP.
Explanation :
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
right]This malware does nothing except propagate itself. It is capable of propagating by contaminating CDs burned on an infected system with copies of its infectious code.
Installation
During installation, the malware creates a decrypted copy of itself as %temp% [random].tmp. This file is detected as Worm.VBS.Agent.w. It then executes this decrypted copy, using the following command:
- WScript.exe /e:VBScript %temp%[random].tmp "Q"
Next, the malware creates the following files:
- %temp%Yuyun.Q
- %temp%auto.exe
The first file contains zero bytes. The file %temp%auto.exe is actually the autorun file for the decrypted copy of the malware, and it is this particular file that is detected as Trojan:JSAgent.JP.
The malware attempts to create a copy of itself in the following Alternate Data Stream file:
- %WinDir%:Microsoft Office Update for Windows XP.sys
It also creates a copy of itself in the following folder:
- %MyDocuments%database.mdb
Propagation
This malware is capable of propagating through infected CDs. To do so, the malware creates the following files:
- %ApplicationData%MicrosoftCD Burning humb.db
- %ApplicationData%MicrosoftCD Burningautorun.inf
The first file is also detected as Trojan:JSAgent.JP, while the second file is the autorun file for the first. Subsequently, all CDs burned on the infected system will be contaminated with these files.
The file %ApplicationData%MicrosoftCD Burningautorun.inf contains the following data:
- [autorun]
open=WScript.exe //e:VBScript thumb.db auto shellopen=Open shellopenCommand=WScript.exe //e:VBScript thumb.db auto
shellopenDefault=1
shellexplore=Explore
shellexploreCommand=WScript.exe //e:VBScript thumb.db auto
This same data is also present in the %temp%auto.exe file.
Registry
The malware makes a number of modifications to the registry to facilitate its propagation. Some interesting changes it makes include disabling the Registry Editor by creating the following registry entries:
- HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistrytools = dword:00000001
Also, the malware checks whether the day of the month is "1"; if so, it creates the following registries:
- HKCRCLSID{11111111-2222-3333-4444-555555555555}
(Default) = "Yuyun_Cantix"- HKCRCLSID{11111111-2222-3333-4444-555555555555}DefaultIcon
(Default) = "shell32.dll,48"- HKCRCLSID{11111111-2222-3333-4444-555555555555}ShellFolder
Attributes = dword:00000000- HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerDesktopNameSpace{11111111-2222-3333-4444-555555555555}
And then creates the following file:
- %temp%v.doc - normal file
Activation
The malware checks whether the date is April 1; if so, it runs the file %temp%v.doc, using the following command three times:
- notepad.exe /p %temp%v.doc
The command allows the malware to print the file under notepad.exe process. The printed file should look like this:
The malware then takes a number of actions involving:
- All found drives
- Folders under that drive
- %MyDocuments%
- Folders under %MyDocuments%,
- %MyNetworkPlaces% shares
- Folders under %MyNetworkPlaces% shares
First, it drops the following files to these locations:
- thumb.db - copy of malware
- autorun.inf - autorun file of the malware
- Microsoft.lnk - shortcut file link ("[drive]: humb.db")
The shortcut file link is named after the folder name.
If the date is April 1, it also drops:
- A copy of %temp%v.doc
- Baca AQ.rtf
- My name is Yuyun.rtf
It may also create one of the following shortcut file links "[drive]: humb.db" to these locations:
- New Harry Potter and....lnk
- New Folder.lnk
- SuratQ.lnk
- Rahasia.lnk
- Game.lnk
- Zvnita.lnk
- Download.lnk
- DataQ.lnk
Last update 19 January 2009
