Win32/Agent.RRE [Threat Name] go to Threat

Win32/Agent.RRE [Threat Variant Name]

Category trojan
Size 1378816 B
Detection created Oct 11, 2010
Detection database version 5519
Aliases Trojan:Win32/Skeeyah.A!rfn (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan creates the following file:

  • %workingfolder%\­build.conf (32 B)

The trojan schedules a task that causes the following file to be executed on every system start:

  • %malwarefilepath%

The trojan may execute the following commands:

  • cmd.exe /c schtasks /create /sc onlogon /f /tn "UpdateChecker" /tr "%malwarefilepath%"
  • cmd.exe /c schtasks /create /sc onlogon /tn "UpdateChecker" /tr "%malwarefilepath%"

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


Trojan quits immediately if it detects loaded module within its own process containing one of the following strings in its name:

  • SbieDll.dll
  • snxhk.dll
  • dbghelp.dll

The trojan quits immediately if any of the following Registry keys/values is detected:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "ProductId" = "76487-640-1457236-23837"
    • "ProductId" = "76487-644-3177037-23510"
    • "ProductId" = "55274-640-2673064-23950"
    • "ProductId" = "76497-640-6308873-23835"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTPS protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • perform DoS/DDoS attacks

The trojan may execute the following commands:

  • cmd.exe /c del /S /Q "%appdata%\­Microsoft\­Windows\­Recent"
  • cmd.exe /C schtasks /Delete /F /TN "UpdateChecker"
  • cmd.exe /C ping 127.0.0.1 -n 2 -w 2000 & Del "%malwarefilepath%"

Please enable Javascript to ensure correct displaying of this content and refresh this page.