Win32/Agent.PZL [Threat Name] go to Threat

Win32/Agent.PZL [Threat Variant Name]

Category trojan
Size 29184 B
Detection created Aug 24, 2009
Detection database version 4362
Aliases FakeAlert.MN.trojan (AVG)
  Packed.Win32.TDSS.y (Kaspersky)
  TrojanSpy:Win32/Chadem.A (Microsoft)
Short description

Win32/Agent.PZL is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­Microsoft\­Windows\­winlogon.exe
  • C:\­Program Files\­Microsoft\­winlogon.exe

The file is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows logon process" = "%malwarefilepath%"
Information stealing

Win32/Agent.PZL is a trojan that steals sensitive information.


The trojan collects the following information:

  • FTP account information

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) IP addresses. The HTTP protocol is used in the communication.

Other information

The trojan monitors network traffic on the following ports:

  • 21

Please enable Javascript to ensure correct displaying of this content and refresh this page.