MSIL/Agent.DQ [Threat Name] go to Threat

MSIL/Agent.DQ [Threat Variant Name]

MSIL/Agent.DQ is a worm that spreads via removable media.

When executed, the worm copies itself into the following location:

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "ChromeUpdate" = "C:\ProgramData\ChromeUpdate\ChromeUpdate.exe"

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 0
[HKEY_CURRENT_USER\software\Kdr\Updater\Chrome\Settings]
- "cr-hompageurl" = "http://www.google.com.tr"
[HKEY_CURRENT_USER\Software\Kdr\Updater\Chrome\Macro]
- "apnureversion" = "2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
- "1" = "%variable%;C:\ProgramData\ChromeUpdate\update.xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\KdrToolbar\Chrome]
- "extid" = "%appid%"
- "lastUpdatedCRX" = "%appid%"
[HKEY_LOCAL_MACHINE\SOFTWARE\KdrToolbar\Macro]
- "apn_dbr" = "cr_25.0.1364.97"
- "build" = "35882"
- "cbid" = "^A3"
- "cr-o" = "10151cr"
- "crumb" = "2013.02.26+06.53.60-toolbar013iad-TR-SXNOYW5idWwsVHVya2V5"
- "dtid" = "^YYYYYY^YY^TR"
- "hpr" = "YES"
- "if" = "first"
- "l" = "dis"
- "locale" = "en_US"
- "1.90" = "1.90"

MSIL/Agent.DQ is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following name:

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (4) URLs. The HTTP protocol is used.

The worm tries to download several files from the Internet.

These are stored in the following locations:

The worm may execute the following commands:

Worm requires the Microsoft .NET Framework to run.