Home / malware Win32.Worm.Agent.QAL
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Agent.QAL is also known as Trojan-Downloader.Win32.VB.hsi;, W32/Autorun.worm.dq.gen, virus.
Explanation :
When first run, this malware will drop the library files related to E programming language in %TEMP%E_4 folder. Later, these files will be copied in %SYSTEM% folder with hidden attribute set. A copy of this worm will be created in %SYSTEM% folder under the name XP-D41D8CD9.exe along with the following registry key which will make this file to be run at every system startup:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Name : XP-D41D8CD9.exe
Value: %SYSTEM%XP-D41D8CD9.exe
A link to this file will be added in the Startup Menu under " iiiiii ".
Next, it will drop og.dll, og.EDT, ul.dll in %SYSTEM% folder. These files are note executable, they contain only some crypted data.
The malware will then attempt do download the following files on the user's computer:
http://hi.baidu.com/siletoyou
http://hidata[removed].com/ul.htm
http://www.yean[removed].com/ul.htm
(When this description was made, only the second link was stiil active and the downloaded file contains crypted data that will be used by the worm).
At every 30 seconds it will check for removable drives and if found, it will copy itself under Recycled.exe and create the autorun.inf file that will run that copy.Last update 21 November 2011
