TROJ_DLOAD.QYUA

This Trojan executes the file ipconfig.exe. If unsuccessful, it will terminate itself. It has a routine that adds garbage data to the resource section of its dropped files, making their sizes vary.

This Trojan may be downloaded by other malware/grayware from remote sites.

It opens a hidden Internet Explorer window. It deletes itself after execution.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• HTML_EXPLT.QYUA

Installation

This Trojan drops and executes the following files:

• %System%\drivers\com32.sys - detected as RTKT_MDIEXP.QYUA
• %System%\com32.dll - also detected as TROJ_DLOAD.QYUA

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious file:

• %System%\VersionKey.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• RktDownload{random numbers}

Other Details

This Trojan opens a hidden Internet Explorer window.

It deletes itself after execution.

NOTES:

It executes the file ipconfig.exe. If unsuccessful, it will terminate itself.

It has a routine that adds garbage data to the resource section of its dropped files, making their sizes vary.

It checks if any of the following processes are running:

• SpStart.exe
• IRPro.exe
• Remon.exe

If found, it drops and executes the file %System%\FileDisk.sys also detected as RTKT_MDIEXP.QYUA. It then copies itself as Z:\WINDOWS\system32\userinit.exe.

The DLL component file accesses the following URL to download its configuration file:

• http://file.{BLOCKED}egirl.com/20120120.jpg

It saves the downloaded file as %User Temp%\fuc{number}.tmp. The said configuration file contains the following URL that it accesses to download and execute a malicious file:

• http://file.{BLOCKED}egirl.com/20120120.exe - detected as TSPY_ONLING.KREA

It checks if any of the following processes related to antivirus are running:

• AYRTSrv.aye
• ALYac.aye
• AYServiceNT.aye
• v3light.exe
• v3lsvc.exe
• v3ltray.exe
• NVCAgent.npc
• nsvmon.npc
• Nsavsvc.npc

If found it will modify the privileges of the said process. It will then delete its configuration file.