Win32/Agent.RPL [Threat Name] go to Threat

Win32/Agent.RPL [Threat Variant Name]

Category trojan
Size 71084 B
Detection created Sep 10, 2010
Detection database version 5440
Aliases Trojan:Win32/Sefnit.A (Microsoft)
  Adware.ADH (Symantec)
Short description

Win32/Agent.RPL is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %temp%\­8Ecg3cbT.dll (69632 B, Win32/Agent.RPL)
  • %appdata%\­cryptd3druntime\­cryptd3druntime.dll (69632 B, Win32/Agent.RPL)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "cryptd3druntime" = "rundll32.exe "%appdata%\­cryptd3druntime\­cryptd3druntime.dll", DllInit"

Code of the is injected in running processes.

Information stealing

The trojan collects various information when

  • Mozzila Firefox
  • Internet Explorer

is being used to access the following sites:

  • *www.google*
  • *yahoo.com*
  • *www.bing.*
  • *.aol.*

A string with variable content is used instead of * .


The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (1) URLs.


The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.