MSIL/Agent.KX [Threat Name] go to Threat

MSIL/Agent.KX [Threat Variant Name]

Category trojan,worm
Size 239616 B
Detection created Dec 30, 2013
Detection database version 9230
Aliases Trojan:MSIL/Splori.A (Microsoft)
  MSIL:Agent-BAO (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


The trojan does not create any copies of itself.

The trojan is usually a part of other malware with name MSIL/Spy.Agent.BP .

Information stealing

MSIL/Agent.KX is a trojan that steals sensitive information.

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • user name
  • operating system version
  • memory status
  • CPU information
  • installed antivirus software
  • installed firewall application

The trojan is able to log keystrokes.

The collected information is stored in the following file:

  • %appdata%\­msconfig.ini

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

It can execute the following operations:

  • log keystrokes
  • download files from a remote computer and/or the Internet
  • run executable files
  • sending various information about the infected computer
  • open a specific URL address
  • execute shell commands
  • update itself to a newer version
  • perform DoS/DDoS attacks

The trojan can modify the following file:

  • C:\­windows\­system32\­drivers\­etc\­hosts

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan may affect the behavior of the following applications:

  • Azureus.exe
  • BitTorrent.exe
  • uTorrent.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • vbc.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­Microsoft\­Sysinternals]
    • "PROCID" = %number%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1

A variable numerical value is used instead of %number% .

The trojan may create the following files:

  • %temp%\­taskmgr.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.