Win32/Agent.NTZ [Threat Name] go to Threat

Win32/Agent.NTZ [Threat Variant Name]

Category trojan,worm
Size 34816 B
Detection created Apr 25, 2008
Detection database version 3054
Aliases DNSChanger.AD (AVG)
  Trojan.Virtumod.based.22 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is probably a part of other malware.


When executed, the trojan copies itself into the following location:

  • %windir%\­%variable1%.exe

The following file is dropped:

  • %system%\­%variable2%.dll

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%windir%\­%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%system%\­%variable2%.dll %originalcontent%"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­{625B529F-9E03-4475-9F3D-33F9B7B410F2}]
    • "Separate Device ID" = "%windir%\­%variable1%.exe"
    • "Manufacturer Name" = "%variable2%.dll"
    • "Organization Name" = "%variable3%"
    • "Sub-system ID" = %binvalue%

A string with variable content is used instead of %variable1-3% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URL addresses. The TCP protocol is used in the communication.

The trojan may attempt to download files from the Internet.

The file is stored in the following location:

  • %temp%\­exx%variable%.exe

The file is then executed.

A string with variable content is used instead of %variable% .

The trojan may terminate specific running processes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.