Win32/Agent.NLY [Threat Name] go to Threat

Win32/Agent.NLY [Threat Variant Name]

Category trojan,worm
Size 68096 B
Detection created Sep 07, 2007
Detection database version 2514
Aliases Trojan-Spy.Win32.Small.jo (Kaspersky)
  Trojan.Horse (Symantec)
  Win32:Agent-YYQ (Avast)
Short description

The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SystemCmc" = "%malwarefilepath%"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "c:\­windows\­cmc.exe" = "c:\­windows\­cmc.exe:*:Enabled:Cmc"

The performed command creates an exception in the Windows Firewall.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • smtp.mail.ru

Please enable Javascript to ensure correct displaying of this content and refresh this page.