Threat Descriptions

Trojan:JS/Agent.JP

Classification

Category :

Malware

Type :

Trojan

Platform :

JS

Aliases :

Trojan:JS/Agent.JP, Worm:VBS/Autorun.Bl

Summary

This malware does nothing except propagate itself. It is capable of propagating by contaminating CDs burned on an infected system with copies of its infectious code.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

During installation, the malware creates a decrypted copy of itself as %temp% \[Random].tmp. This file is detected as Worm.VBS.Agent.w. It then executes this decrypted copy, using the following command:

  • WScript.exe /e:VBScript %temp%\[Random].tmp "Q"

Next, the malware creates the following files:

  • %temp%\Yuyun.Q
  • %temp%\auto.exe

The first file contains zero bytes. The file %temp%\auto.exe is actually the autorun file for the decrypted copy of the malware, and it is this particular file that is detected as Trojan:JS/Agent.JP.The malware attempts to create a copy of itself in the following Alternate Data Stream file:

  • %WinDir%:Microsoft Office Update for Windows XP.sys

It also creates a copy of itself in the following folder:

  • %MyDocuments%\database.mdb

Propagation

This malware is capable of propagating through infected CD ROM discs. To do so, the malware creates the following files:

  • %ApplicationData%\Microsoft\CD Burning\thumb.db
  • %ApplicationData%\Microsoft\CD Burning\autorun.inf

The first file is also detected as Trojan:JS/Agent.JP, while the second file is the autorun file for the first. Subsequently, all CDs burned on the infected system will be contaminated with these files.The file %ApplicationData%\Microsoft\CD Burning\autorun.inf contains the following data:

https://www.f-secure.com/v-pics/trojan_js_agent_jp_autorun.png

This same data is also present in the %temp%\auto.exe file.

Registry

The malware makes a number of modifications to the registry to facilitate its propagation. Some interesting changes it makes include disabling the Registry Editor by creating the following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistrytools
    = dword:00000001

Also, the malware checks whether the day of the month is "1"; if so, it creates the following registries:

  • HKCR\CLSID\{11111111-2222-3333-4444-555555555555}(Default) = "Yuyun_Cantix"
  • HKCR\CLSID\{11111111-2222-3333-4444-555555555555}\DefaultIcon(Default) = "shell32.dll,48"
  • HKCR\CLSID\{11111111-2222-3333-4444-555555555555}\ShellFolderAttributes = dword:00000000
  • HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{11111111-2222-3333-4444-555555555555}

And then creates the following file:

  • %temp%\v.doc

Note: v.doc is normal file.

Activation

The malware checks whether the date is April 1; if so, it runs the file %temp%\v.doc, using the following command three times:

  • notepad.exe /p %temp%\v.doc

The command allows the malware to print the file under notepad.exe process. The printed file should look like this:

The malware then takes a number of actions involving:

  • All found drives
  • Folders under that drive
    • %MyDocuments%
    • Folders under %MyDocuments%,
    • %MyNetworkPlaces% shares
  • Folders under %MyNetworkPlaces% shares

First, it drops the following files to these locations:

  • thumb.db
  • autorun.inf
  • Microsoft.lnk

Notes: thumb.db is a copy of the malware; autorun.inf is the malware's autorun file; Microsoft.lnk is a shortcut link to "[drive]:\thumb.db".The shortcut file link text is named after the folder name.If the date is April 1, it also drops:

  • A copy of %temp%\v.doc
  • Baca AQ.rtf
  • My name is Yuyun.rtf

It may also create one of the following shortcut file links "[drive]:\thumb.db" to these locations:

  • New Harry Potter and....lnk
  • New Folder.lnk
  • SuratQ.lnkv
  • Rahasia.lnk
  • Game.lnk
  • Zvnita.lnk
  • Download.lnk
  • DataQ.lnk

Registry Modifications

Creates these keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunExplorer = Wscript.exe //e:VBScript
    "%MyDocuments%\database.mdb"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • WinUpdate = Wscript.exe //e:VBScript "%WinDir%:Microsoft Office Update for Windows XP.sys"

Deletes these keys:

  • HKCR\lnkfile\IsShortcut