Win32/Agent.RAZ [Threat Name] go to Threat

Win32/Agent.RAZ [Threat Variant Name]

Category trojan
Size 245760 B
Detection created Apr 15, 2010
Detection database version 5031
Aliases Trojan-Downloader.Win32.Agent.dlhc (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
  Generic.Downloader.x!dzu (McAfee)
Short description

Win32/Agent.RAZ is a trojan which tries to download other malware from the Internet.

Installation

The trojan creates the following files:

  • %temp%\­update.tmp

The trojan may create the following files:

  • %system%\­ipripv6.dll (41472 B)
  • %system%\­wbem\­wbmain.dll (37376 B)
  • %appdata%\­DrWatson\­DrWatson.exe (53760 B)
  • %appdata%\­DrWatson\­DrWatson.dll (37376 B)

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Iprip]
    • "Type" = 32
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­svchost.exe -k netsvcs"
    • "DisplayName" = "RIP Listener"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Listens for route updates sent by routers that use the Routing Information Protocol version 1 (RIPv1)"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Iprip\­Parameters]
    • "ServiceDll" = "%system%\­ipripv6.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Iprip\­Security]
    • "Security" = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Iprip\­Enum]
    • "0" = "Root\­LEGACY_IPRIP\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ErrorReporter" = "%appdata%\­DrWatson\­DrWatson.exe ::C"

This causes the trojan to be executed on every system start.


The trojan launches the following processes:

  • %appdata%\­DrWatson\­DrWatson.exe
Other information

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • winlogon.exe

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of 5 URLs. The HTTP protocol is used in the communication.


The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.