Win32/Agent.RKS [Threat Name] go to Threat

Win32/Agent.RKS [Threat Variant Name]

Category trojan
Size 18432 B
Detection created Jul 20, 2010
Detection database version 5295
Aliases Trojan.Win32.Inject.asfy (Kaspersky)
  Trojan:Win32/Lodap!rts (Microsoft)
  TROJ_INJECT.VTG (TrendMicro)
Short description

Win32/Agent.RKS is a trojan which tries to download other malware from the Internet.


When executed, the trojan creates the following files:

  • %appdata%\­{%variable%}\­ntuser.cpl (12032 B)
  • %appdata%\­{%variable%}\­desktop.ini

A string with variable content is used instead of %variable% .

The trojan executes the following command:

  • rundll32.exe "%appdata%\­{%variable%}\­ntuser.cpl",_4CDFA75B

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "{%variable%}" = "rundll32 "%APPDATA%\­{%variable%}\­ntuser.cpl",_4CDFA75B"
Other information

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­LowRegistry]
    • "ms-ldr" = "%malwarepath%"

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan checks for Internet connectivity by trying to connect to the following addresses:


The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The trojan can download and execute a file from the Internet. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.