MSIL/Agent.DQ [Threat Name] go to Threat

MSIL/Agent.DQ [Threat Variant Name]

Category trojan,worm
Size 123392 B
Detection created Nov 30, 2012
Detection database version 7749
Aliases MSIL:FakeUpdate-A (Avast)
Short description

MSIL/Agent.DQ is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • C:\­ProgramData\­ChromeUpdate\­ChromeUpdate.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ChromeUpdate" = "C:\­ProgramData\­ChromeUpdate\­ChromeUpdate.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
  • [HKEY_CURRENT_USER\­software\­Kdr\­Updater\­Chrome\­Settings]
    • "cr-hompageurl" = "http://www.google.com.tr"
  • [HKEY_CURRENT_USER\­Software\­Kdr\­Updater\­Chrome\­Macro]
    • "apnureversion" = "2"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Google\­Chrome\­ExtensionInstallForcelist]
    • "1" = "%variable%;C:\­ProgramData\­ChromeUpdate\­update.xml"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­KdrToolbar\­Chrome]
    • "extid" = "%appid%"
    • "lastUpdatedCRX" = "%appid%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­KdrToolbar\­Macro]
    • "apn_dbr" = "cr_25.0.1364.97"
    • "build" = "35882"
    • "cbid" = "^A3"
    • "cr-o" = "10151cr"
    • "crumb" = "2013.02.26+06.53.60-toolbar013iad-TR-SXNOYW5idWwsVHVya2V5"
    • "dtid" = "^YYYYYY^YY^TR"
    • "hpr" = "YES"
    • "if" = "first"
    • "l" = "dis"
    • "locale" = "en_US"
    • "1.90" = "1.90"
Spreading on removable media

MSIL/Agent.DQ is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • Security.exe
Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs. The HTTP protocol is used.


The worm tries to download several files from the Internet.


These are stored in the following locations:

  • C:\­ProgramData\­ChromeUpdate\­chrome.crx
  • C:\­ProgramData\­ChromeUpdate\­update.xml

The worm may execute the following commands:

  • chrome.exe https://www.google.com.tr
  • taskkill /f /im chrome.exe

Worm requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.