# Virus

## W32/Agent.AJFK!tr

### Analysis

W32/Agent.AJFK!tr is a generic detection for a Key-logger/Botnet/Downloader trojan. Since this is a generic detection, malware that are detected as W32/Agent.AJFK!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
• %systemroot%\system\cmsys.cmn : This file is non-malicious.
• %systemroot%\system\spoolsv.exe: This file is detected as W32/Agent.AJFK!tr.
• %systemroot%\system\explorer.exe: This file is detected as W32/Agent.AJFK!tr.
• %systemroot%\system\svchost.exe: This file is detected as W32/Agent.AJFK!tr.
• %appdata%\mrsys.exe: This file is detected as W32/Agent.AJFK!tr.
• %Appdata%\[Random1]\[Random2].lck: This file is non-malicious.
• %Appdata%\[Random1]\[Random2].exe: This file is detected as W32/Agent.AJFK!tr.
• %temp%\[Random].tmp: This file is non-malicious.
• %Appdata%\svchost.exe: This file is the copy of the original malware itself.
• %startup%\wordpad.exe: This file is the copy of the original malware itself.
• %Appdata%\dwm.exe: This file is the copy of the original malware itself.

• This malware may connect to any of the following remote site(s):
• naval.duckdn{Removed}.org
• quantumeqyp{Removed}.com
• lopxin{Removed}.bid
• 23ac{Removed}.site
• hxxp://cm-g{Removed}.com /new/five/five/fre.php
• hxxp://23ac{Removed}.site/fox/plugins/keylogger.p
• hxxp://23ac{Removed}.site/fox/plugins/ftp.p

• This malware may apply any of the following registry modification(s):
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
• Explorer = %systemroot%\explorer.exe RO
This automatically executes the dropped file every time a new user logs in.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
• Svchost = %systemroot%\svchost.exe RO
This automatically executes the dropped file every time a new user logs in.

• HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Currentversion\Winlogon
• Shell = %systemroot%\explorer.exe, c:\windows\system\explorer.exe
This automatically executes the dropped file every time the user logs in.