Troj/Qoolaid-AN

Category: Viruses and SpywareProtection available since:22 Mar 2006 00:00:00 (GMT)
Type: TrojanLast Updated:22 Mar 2006 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Qoolaid-AN is a downloader/installer for Troj/Qoolaid-AL and Troj/Qoolaid-AM.

Troj/Qoolaid-AN installs the following files:

<Temp>\f191203.exe
<Windows>\bbevqv.dat
<Windows>\unwn.exe
<System>\dmonwv.dll
<System>\jaicg.exe
<System>\uupgqem.exe
<System>\yngbr.dat

The files jaicg.exe, uupgqem.exe and yngbr.dat are detected as Troj/Qoolaid-AL and the file dmonwv.dll is detected as Troj/Qoolaid-AM.

The files jaicg.exe and uupgqem.exe are stealthed, including their processes.

The following registry entries are created to run jaicg.exe and uupgqem.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe, <System>\jaicg.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,uupgqem.exe

The above registry entries are continually refreshed in an attempt to prevent deletion.

The file dmonwv.dll is registered as a COM object, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
(4ABF810A-F11D-4169-9D5F-7D274F2270A1)
HKCR\CLSID\(CE3A44D8-BC88-4D62-A890-42D96245F8D6)

The following registry entry is created to register dmonwv.dll as a shell extension column handler:

HKCR\Folder\shellex\ColumnHandlers\
(CE3A44D8-BC88-4D62-A890-42D96245F8D6)
(Default)
(CE3A44D8-BC88-4D62-A890-42D96245F8D6)

This causes dmonwv.dll to be loaded by the EXPLORER process on startup.

Registry entries are created under:

HKLM\SOFTWARE\qstat
HKLM\SOFTWARE\Microsoft\wwdqoq
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webnexus

Troj/Qoolaid-AN provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Web Nexus Network".