Sonicwall Signatures


Go to All Categories list.

Rogue_68 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. Rogue_68 is compressed using the UPX executable packer and its file size is 1,328,256 bytes. Rogue_68 drops the following files on the hard drive:
  • C:\WINDOWS\system32\CKAgent_t.exe (138320 bytes)
  • C:\WINDOWS\system32\temp_JRSKD24.SYS (95632 bytes)
  • C:\WINDOWS\system32\temp_JRSUKD25.SYS (22480 bytes)
  • C:\WINDOWS\system32\temp_kcrtx86.sys (126048 bytes)
  • C:\WINDOWS\system32\CKSetup32.exe (1260624 bytes)
  • C:\WINDOWS\system32\CKSetup32.dat (1260624 bytes)
  • C:\WINDOWS\system32\CKAgent.exe (138320 bytes)
  • C:\WINDOWS\system32\CKAgent.dat (138320 bytes)
It also changes Windows registry:
  • Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6CE20149-ABE3-462E-A1B4-5B549971AA38}".
  • Creates key "HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}".
  • Creates value "Compatibility Flags"="" in key "HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6CE20149-ABE3-462E-A1B4-5B549971AA38}".
  • Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8FD68F8A-641E-4204-AE47-DD835C1AE756}".
  • Creates key "HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}".
  • Creates value "Compatibility Flags"="" in key "HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8FD68F8A-641E-4204-AE47-DD835C1AE756}".
  • Creates key "HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA38}".
  • Creates value "AppName"="CKAgent.exe" in key "HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CE20149-ABE3-462E-A1B4-5B549971AA38}".
Rogue_68 configures following services on NT based machines:
  • Creates service "kcrtx86 (kcrtx86)" as "C:\WINDOWS\system32\kcrtx86.sys".
  • Creates service "JRSKD24 (JRSKD24)" as "C:\WINDOWS\system32\JRSKD24.SYS".
Rogue_68 makes the following additional changes to the infected computer:
  • Creates WindowsHook monitoring (null) activity.
It creates the following mutex to ensure only one instance is running: CKSetup32Running. _mtx_CKAgent_Running. @mtx_CKAgent. It also monitors the list of running processes.

Relevant Information