Win32/Agent.VPS [Threat Name] go to Threat

Win32/Agent.VPS [Threat Variant Name]

Category trojan
Size 276877 B
Detection created Mar 05, 2014
Detection database version 10182
Aliases Trojan.Win32.Agent.ahqgz (Kaspersky)
  TrojanDropper:Win32/Ropest.A (Microsoft)
Short description

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. It can be controlled remotely.


Installation

The trojan searches for files with the following file extensions:

  • .exe

Only following folders are searched:

  • %system%

It avoids files which contain any of the following strings in their path:

  • calc.exe
  • cmd.exe
  • freecell.exe
  • install
  • ping.exe
  • route.exe
  • setup
  • setup.exe
  • taskmgr.exe
  • telnet.exe
  • update

The trojan creates the following file:

  • %appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe (99840 B, Win32/Agent.VPS)

The file name and extension of the newly created file is derived from the original one.


The trojan may create the following files:

  • %appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe (132096 B, Win64/Asterope.A)

The trojan creates the following file:

  • %startup%\­­%selectedfilename%.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "­%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "­%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Run" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Software\­Microsoft\­Command Processor]
    • "AutoRun" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­%sid%\­Control Panel\­Desktop]
    • "SCRNSAVE.EXE" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "­%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "­%selectedfilename%" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Run" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Command Processor]
    • "AutoRun" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"
  • [HKEY_USERS\­.DEFAULT\­Control Panel\­Desktop]
    • "SCRNSAVE.EXE" = "%appdata%\­Microsoft\­Windows\­IEUpdate\­­%selectedfilename%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "{A8A88C49-5EB2-4990-A1A2-0876022C854F}" = %binary%
    • "{AEBA21FA-782A-4A90-978D-B72164C80120}" = %binary%
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1400" = 0
    • "1402" = 0
    • "1601" = 0
    • "1A02" = 0
    • "1A03" = 0
    • "1A05" = 0
    • "1A06" = 0
    • "2500" = 3
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
    • "Display Inline Images" = "yes"
    • "DisableScriptDebuggerIE" = "yes"
    • "Disable Script Debugger" = "yes"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer]
    • "GlobalUserOffline" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Internet Explorer\­AdvancedOptions\­MULTIMEDIA\­PICTS]
    • "CheckedValue" = "yes"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_BROWSER_EMULATION]
    • "%malwarefilename%" = %variable%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FeatureControl\­FEATURE_GPU_RENDERING]
    • "%malwarefilename%" = 1

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

A string with variable content is used instead of %variable% .


By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version
  • Internet Explorer version
  • CPU information
  • memory status
  • malware version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine. The UDP, HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It uses its own P2P network for communication.


The trojan contains a list of (516) IP addresses. The UDP, TCP, HTTP protocol is used.


It can execute the following operations:

  • simulate user's input (clicks, taps)
  • update itself to a newer version
  • create Registry entries
  • download files from a remote computer and/or the Internet
  • run executable files

The trojan opens UDP port 48754 . The trojan opens TCP port 48754 .


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan keeps various information in the following files:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Discardable\­PostSetup\­Component Categories\­%variable1%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Discardable\­PostSetup\­Component Categories\­%variable1%\­Enum]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Outlook Express\­5.0\­Shared Settings\­Setup\­%variable2%]

The trojan keeps various information in the following Registry keys:

  • %systemdrive%\­Recycler\­%variable3%\­$ast-%variable3%\­%variable4%.dat
  • %systemdrive%\­$Recycle.bin\­%variable3%\­$ast-%variable3%\­%variable4%.dat
  • %systemdrive%\­RECYCLED\­$ast-%variable3%\­%variable4%.dat
  • %systemdrive%\­$RECYCLE.BIN\­$ast-%variable3%\­%variable4%.dat

A string with variable content is used instead of %variable1-4% .


The trojan hooks the following Windows APIs:

  • ZwQueryInformationProcess (ntdll.dll)
  • ZwResumeThread (ntdll.dll)
  • InternetSetStatusCallbackA (wininet.dll)
  • DialogBoxIndirectParamAorW (user32.dll)
  • GetCursorPos (user32.dll)
  • waveOutWrite (winmm.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.