Win32/Agent.GCI [Threat Name] go to Threat

Win32/Agent.GCI [Threat Variant Name]

Category trojan
Size 26112 B
Detection created Mar 07, 2008
Detection database version 2929
Aliases Trojan.Win32.Agent.glb (Kaspersky)
  Downloader-BOT (McAfee)
  Trojan.LowZones.874 (Dr.Web)
Short description

Win32/Agent.GCI is a trojan which tries to download other malware from the Internet. The file is run-time compressed using PECompact .


When executed, the trojan copies itself into the following location:

  • %system%\­wbem\­csrss.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "csrss" = "%system%\­wbem\­csrss.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3
Information stealing

The trojan collects the following information:

  • operating system version
  • Internet Explorer version
  • Mozilla Firefox version
  • type of Internet connection
  • current screen resolution

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs.

The trojan tries to download and execute several files from the Internet. The HTTP protocol is used.

These are stored in the following locations:

  • %temp%\­x%variable1%.tmp
  • %system%\­%variable2%\­%filename%

A string with variable content is used instead of %variable1-2%, %filename% .

The trojan creates the following files:

  • %appdata%\­n.ini
  • %temp%\­temp.bat
  • %system%\­c200.bat
  • %system%\­n.ini

The following services are disabled:

  • winupdate

Please enable Javascript to ensure correct displaying of this content and refresh this page.