Troj/Agent-AGHI

Category: Viruses and Spyware Protection available since:15 Mar 2014 22:57:08 (GMT)
Type: Trojan Last Updated:15 Mar 2014 22:57:08 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-AGHI include:

Example 1

File Information

File type
application/x-ms-dos-executable

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Application Data\Nuezem\ynmoyf.exe
  • c:\Documents and Settings\test user\Application Data\Ivo\xuitkys.ont
Modified Files
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
  • %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
Registry Keys Created
  • HKCR\S2_XY.Application
    (Default)
    S2_XY.Application
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    %windir%\explorer.exe
    %windir%\explorer.exe
  • HKCR\CLSID\{95435A23-935A-4580-9248-155D952096BE}\LocalServer32
    (Default)
    C:\DOCUME~1\support\APPLIC~1\Nuezem\ynmoyf.exe
  • HKCU\Identities
    Identity Login
    0x00098053
  • HKCR\CLSID\{95435A23-935A-4580-9248-155D952096BE}\ProgID
    (Default)
    S2_XY.Application
  • HKCU\Software\Microsoft\Osecva
    Koox
    □.□@(□□□□□6□□□□pU□□□□0□□@□□`□□□□□ □□□J□□□□ □□P□□pk□□b□`A□□L□P□□□□□`U□`u□□□□@□□□□□`J□0□□□□□□□□□□□□!□□]□□□□`□□`□□□P□ M□□□□□:□@v□@1□□□□P□□□□□0#□□□□□□□□□□□v□□U□0□□□□□p%□0□□`i□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    {7EDCD9A2-D1AF-5370-9F95-A4AA2FF3F645}
    "c:\Documents and Settings\test user\Application Data\Nuezem\ynmoyf.exe"
  • HKCR\CLSID\{95435A23-935A-4580-9248-155D952096BE}\InprocHandler32
    (Default)
    ole32.dll
  • HKCR\CLSID\{95435A23-935A-4580-9248-155D952096BE}
    (Default)
    S2_XY.Application
  • HKCU\Software\Microsoft\Internet Explorer\Privacy
    CleanCookies
    0x00000000
  • HKCR\S2_XY.Application\CLSID
    (Default)
    {95435A23-935A-4580-9248-155D952096BE}
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    1609
    0x00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
    TimeStamp
    44 fd d8 a5 6f 40 cf 01
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    1609
    0x00000000
  • HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
    Compact Check Count
    0x00000008
Processes Created
  • c:\Documents and Settings\test user\application data\nuezem\ynmoyf.exe
  • c:\windows\system32\cmd.exe
HTTP Requests
  • http://networksecurityx.hopto.org/
DNS Requests
  • grace-housechurch.com
  • networksecurityx.hopto.org

Example 2

File Information

Size
5.9M
SHA-1
02c6196b9efb11e0eea25dd61ae159b5aff96105
MD5
125015af64730b6c7bd2a25fa057cc70
CRC-32
0fe9eb41
First seen
2014-03-15

Runtime Analysis

Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    test_item.exe
    c:\test_item.exe
DNS Requests
  • lojazerobala.com.br

Example 3

File Information

File type
Windows executable

Runtime Analysis

HTTP Requests
  • http://lojazerobalalider.com.br/windos10.php
  • http://petshopimaginacao.com.br/erros/YMS5CNAU4JLU.tmp
DNS Requests
  • lojazerobalalider.com.br
  • petshopimaginacao.com.br

download Try Sophos products for free
Download now