TROJ_AGENT.JAAB

This Trojan may be downloaded from remote sites by other malware.

Arrival Details

This Trojan may be downloaded from the following remote site(s):

• http://web.kfc.ha.cn:6668/Down/my/124.exe

It may be downloaded from remote site(s) by the following malware:

• JS_AGENT.AYMN

Installation

This Trojan adds the following folders:

• C:\Winup
• D:\Winup

It adds the following processes:

• cmd.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• mutex_cpa_.la
• mutex_cj1.la
• mutex_cj2.la

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}.ha.cn:6668/Down/ext2/wow.exe - detected as TSPY_GAMETHI.ECF
• http://{BLOCKED}.ha.cn:6668/Down/ext2/wd.exe - detected as TSPY_LOLYDA.SMF
• http://{BLOCKED}.ha.cn:6668/Down/ext2/mhxy.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext2/tl.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext2/dh2.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext/100013.exe - detected as TROJ_STARTPA.ABB
• http://{BLOCKED}.ha.cn:6668/Down/ext2/wl.exe - detected as TSPY_GAMETHI.ECE
• http://{BLOCKED}.ha.cn:6668/Down/ext/fetion016.exe - detected as TROJ_DLOADR.AVQ
• http://{BLOCKED}.ha.cn:6668/Down/ext/me2430.exe - detected as TROJ_STARTPA.SB
• http://{BLOCKED}.ha.cn:6668/Down/ext2/rxcq.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext/qm.exe - detected as TSPY_QQPASS.ARJ
• http://{BLOCKED}.ha.cn:6668/Down/ext/small.exe - detected as TROJ_DROPPR.CK
• http://{BLOCKED}.ha.cn:6668/Down/ext/baoma.exe - detected as MAL_OTORUN5
• http://{BLOCKED}.ha.cn:6668/Down/ext2/wmgj.exe - detected as TSPY_GAMETHI.ECG
• http://{BLOCKED}.ha.cn:6668/Down/ext2/qqhx.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext/dmlq.exe - detected as TROJ_NETINS.SMA
• http://{BLOCKED}.ha.cn:6668/Down/ext/dianxin.exe - detected as TROJ_DROPPR.CN
• http://{BLOCKED}.ha.cn:6668/Down/ext2/lszt.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext2/zx2.exe - detected as TSPY_GAMETHI.ECK
• http://{BLOCKED}.ha.cn:6668/Down/ext/4002.exe - detected as TROJ_DLOADR.AVO
• http://{BLOCKED}.ha.cn:6668/Down/ext2/my.exe - detected as TSPY_GAMETHI.ECJ
• http://{BLOCKED}.ha.cn:6668/Down/ext2/jxsj.exe - detected as TSPY_GAMETHI.ECH
• http://{BLOCKED}.ha.cn:6668/Down/ext/dk.exe - detected as TROJ_AGENT.SMA
• http://{BLOCKED}.ha.cn:6668/Down/ext2/qqsg.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext2/mhzx.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext2/cqsj.exe - detected as TSPY_DOZMOT.SMC
• http://{BLOCKED}.ha.cn:6668/Down/ext/Alexa.exe - detected as TROJ_DLOADR.AVP
• http://{BLOCKED}c.ha.cn:6668/Win7/mp/g.css - detected as TROJ_HAMER.D

It saves the files it downloads using the following names:

• c:\Winup\kb93623.exe

Other Details

This Trojan checks for the presence of the following process(es):

• 360sd.exe
• 360tray.exe
• MPMon.exe
• Mcshield.exe
• Ravmond.exe
• VPTray.exe
• ashWebSv.exe
• avguard.exe
• avp.exe
• ekrn.exe
• kissvc.exe
• kvsrvxp.exe
• BarClientView.exe
• Barclient.exe
• EWay.exe
• NBClient.exe
• NxpAuxSvc.exe
• clsmn.exe
• mzdclient.exe
• scon.exe

It does the following:

• Posts information about the affected system to the URL http://{BLOCKED}.ha.cn:81/admin/count.php
• Posted information include: MAC address, PC type, antivirus name
• Executes the command "net stop sharedaccess" to disable the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service
• Connects to http://{BLOCKED}.ha.cn:6668/Down/list.txt to download a text file