Troj/Agent-QLE

Category: Viruses and SpywareProtection available since:21 Feb 2011 13:59:06 (GMT)
Type: TrojanLast Updated:21 Feb 2011 15:04:08 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Agent-QLE include:

Example 1

File Information

Size
88K
SHA-1
370ca54ac7d26774b1942126439c8aed35086124
MD5
5a40ab0e1a11a3d59884e7c43bdf7fe7
CRC-32
1239a5db
File type
application/x-ms-dos-executable
First seen
2011-02-21

Example 2

File Information

Size
619K
SHA-1
5e026a236d19a8a949b754c899f4d736d72b65cb
MD5
3f69cf1c40fccf4e91bd5f013b598a95
CRC-32
5b2db3ed
File type
application/x-ms-dos-executable
First seen
2011-02-21

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\php_bcompiler.dll
  • C:\WINDOWS\system32\php_bcompiler.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\php4ts.dll
    Size
    1.6M
    SHA-1
    33d32eafd23304ee053c647579aa4d9db97a2348
    MD5
    572ad0eb355d5725904c5e9d74b1a696
    CRC-32
    699bda8d
    File type
    application/x-ms-dos-executable
    First seen
    2011-01-19
  • c:\Documents and Settings\test user\Local Settings\Temp\hello.exe
    Size
    88K
    SHA-1
    370ca54ac7d26774b1942126439c8aed35086124
    MD5
    5a40ab0e1a11a3d59884e7c43bdf7fe7
    CRC-32
    1239a5db
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-21
  • C:\WINDOWS\system32\FacebookSystems.exe
    Size
    88K
    SHA-1
    370ca54ac7d26774b1942126439c8aed35086124
    MD5
    5a40ab0e1a11a3d59884e7c43bdf7fe7
    CRC-32
    1239a5db
    File type
    application/x-ms-dos-executable
    First seen
    2011-02-21
  • C:\WINDOWS\system32\php4ts.dll
    Size
    1.6M
    SHA-1
    33d32eafd23304ee053c647579aa4d9db97a2348
    MD5
    572ad0eb355d5725904c5e9d74b1a696
    CRC-32
    699bda8d
    File type
    application/x-ms-dos-executable
    First seen
    2011-01-19
  • c:\Documents and Settings\test user\Local Settings\Temp\system.vbs
    Size
    113
    SHA-1
    05cb07bb6b488ce1514228fae4f97c2aeedbf965
    MD5
    bc15a89320bc1e20276f1bc1e32023c1
    CRC-32
    7a2273be
    File type
    application/octet-stream
    First seen
    2011-02-21
  • C:\WINDOWS\system32\FacebookSystems.vbs
    Size
    120
    SHA-1
    d61fe862d6241655a73697bc2cecb372e578be9c
    MD5
    5efdc328cffa3444a5a00c4783aa9fdb
    CRC-32
    78e12ef6
    File type
    application/octet-stream
    First seen
    2011-02-21
  • c:\Documents and Settings\test user\Local Settings\Temp\system.bat
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    EnableLUA
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
    LogSessionName
    stdout
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
    BitNames
    NAP_TRACE_BASE NAP_TRACE_NETSH
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    FacebookSystems
    C:\WINDOWS\system32\FacebookSystems.vbs
  • HKLM\SOFTWARE\Microsoft\Security Center
    UACDisableNotify
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
    EnableFileTracing
    0x00000000
Processes Created
  • c:\docume~1\support\locals~1\temp\hello.exe
  • c:\windows\system32\attrib.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\reg.exe
  • c:\windows\system32\wscript.exe

Example 3

File Information

Size
113
SHA-1
05cb07bb6b488ce1514228fae4f97c2aeedbf965
MD5
bc15a89320bc1e20276f1bc1e32023c1
CRC-32
7a2273be
File type
application/octet-stream
First seen
2011-02-21