Win32/Agent.PBI [Threat Name] go to Threat

Win32/Agent.PBI [Threat Variant Name]

Category trojan
Size 2457568 B
Detection created Mar 18, 2009
Detection database version 3946
Aliases Trojan-Downloader.Win32.Agent.vjqi (Kaspersky)
Short description

Win32/Agent.PBI is a trojan that is spread via peer-to-peer networks. The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %temp%\­install-201591042.exe (2689024 B)

The file is then executed.


The trojan may create the following files:

  • %programfiles%\­Tor\­tor.exe (2745870 B)
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­wins.exe (2689024 B)
  • %localappdata%\­tor\­cached-certs
  • %localappdata%\­tor\­cached-consensus
  • %localappdata%\­tor\­cached-cached-descriptors
  • %localappdata%\­tor\­cached-descriptors.new
  • %localappdata%\­tor\­lock
  • %localappdata%\­tor\­state
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­049e7fb749be2cdf169e28bb0a27254f\­%variable1%.ct
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­049e7fb749be2cdf169e28bb0a27254f\­%variable1%.ph
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­cache.00
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­key_index.dat
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­known.met
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­known2_64.met
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­load_index.dat
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­queries-%variable2%.cache
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­server.met
  • %system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­src_index.dat

A string with variable content is used instead of %variable1% . The variable %variable2% represents a number in the range 00-99 .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­tor]
    • "Type" = 16
    • "Start" = 2
    • "ImagePath" = ""%programfiles%\­Tor\­tor.exe" --nt-service "-ControlPort" "9051""
    • "DisplayName" = "Tor Win32 Service"
    • "ObjectName" = "NT AUTHORITY\­LocalService"
    • "Description" = "Provides an anonymous Internet communication system"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­tor\­Security]
    • "Security" = %hexvalue1%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Windows Internet Name Service]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­config\­systemprofile\­Local Settings\­Application Data\­Windows Internet Name Service\­wins.exe"
    • "DisplayName" = "Windows Internet Name Service"
    • "Group" = "netsvcs"
    • "ObjectName" = "LocalSystem"
    • "FailureActions" = %hexvalue2%
    • "Description" = "Provides Internet Name Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Windows Internet Name Service\­Security]
    • "Security" = %hexvalue1%

A string with variable content is used instead of %hexvalue1-2% .


The trojan may affect the behavior of the following applications:

  • Windows Firewall
Spreading via P2P networks

Win32/Agent.PBI is a trojan that is spread via peer-to-peer networks.


The following services are affected:

  • eMule
Information stealing

The trojan collects the following information:

  • computer IP address
  • user name
  • operating system version
Other information

The trojan quits immediately if it is run within a debugger.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used in the communication. It communicates via TOR anonymity network.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.