Win32/Agent.RIZ [Threat Name] go to Threat

Win32/Agent.RIZ [Threat Variant Name]

Category trojan
Size 18752 B
Detection created Jun 30, 2010
Detection database version 5240
Aliases Trojan.ADH (Symantec)
  Trojan.Inject.8954 (Dr.Web)
  Troj/Bdoor-AZG (Sophos)
Short description

Win32/Agent.RIZ is a trojan which tries to download other malware from the Internet.


The trojan does not create any copies of itself.

Other information

The trojan contains an URL address. It tries to download the other part of the infiltration from the address. The HTTP protocol is used.

The file is stored in the following location:

  • %windir%\­system32\­drivers\­viddev.inf

Installs the following system drivers:

  • %windir%\­system32\­drivers\­viddev.inf

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­viddev]
    • "Type" = 1
    • "ErrorControl" = 0
    • "Start" = 1
    • "Data" = %random%
    • "ImagePath" = "%windir%\­system32\­drivers\­viddev.inf"

A string with variable content is used instead of %random% .

This causes the trojan to be executed on every system start.

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • csrss.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • lsass.exe
  • lsm.exe
  • opera.exe
  • outlook.exe
  • safari.exe
  • svchost.exe
  • thunderbird.exe

The trojan will attempt to download several files from the Internet.

The trojan contains a list of (4) URLs.

The downloaded files contain encrypted executables.

After decryption, the trojan runs these files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.