Win32/Agent.RJF [Threat Name] go to Threat

Win32/Agent.RJF [Threat Variant Name]

Category trojan
Size 69632 B
Detection created Jul 03, 2010
Detection database version 5249
Aliases Trojan:Win32/Agent.RF!dll (Microsoft)
  Suspicious.IRCBot (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely. Win32/Agent.RJF can infect executable files.

Installation

When executed, the trojan creates the following files:

  • %temp%\­~%variable1%.tmp

The trojan executes the following command:

  • %system%\­regsvr32.exe /s %temp%\­~%variable1%.tmp ,%originalmalwarefilepath%

The trojan may create copies of the following files (source, destination):

  • %system%\­msvccp50.dll, %system%\­msvcp60.dll

The trojan may delete the following files:

  • %system%\­dllcache\­rpcss.dll

The trojan may execute the following commands:

  • takeown /f "%system%\­rpcss.dll"
  • icacls "%system%\­rpcss.dll" /grant administrators:F

The trojan creates copies of the following files (source, destination):

  • %system%\­rpcss.dll, %system%\­brpcss.dll
  • %temp%\­~%variable1%.tmp, %system%\­rpcss.dll

The trojan may create copies of the following files (source, destination):

  • %temp%\­~%variable1%.tmp, %system%\­rpcss.dll~~%variable3%

The trojan may create the following files:

  • %common_startup%\­%variable2%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable1-3% .


The trojan may create the text file:

  • %system%\­apa.dll

After the installation is complete, the trojan deletes the original executable file.


The trojan creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
Executable file infection

The trojan searches fixed and removable drives for executable files to infect.


Only drives which do not contain one of the following folders are searched:

  • %drive%\­windows

The trojan searches for files with the following file extensions:

  • .exe

The trojan infects files which size is more than 102400 B .


Files with the following names are not infected:

  • qq.exe

The host file is modified in a way that causes the Win32/Fignya.C (2392 B) to be executed prior to running the original code.


When an infected file is executed, the original file is also run.

Information stealing

The trojan collects the following information:

  • computer name
  • network adapter information
  • CPU information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • send the list of disk devices and their type to a remote computer
  • various file system operations
  • execute shell commands
  • update itself to a newer version
  • uninstall itself
  • sending various information about the infected computer

The trojan may delete files stored in the following folders:

  • %commonstartup%

Please enable Javascript to ensure correct displaying of this content and refresh this page.