Win32/Agent.RTF [Threat Name] go to Threat

Win32/Agent.RTF [Threat Variant Name]

Category trojan,worm
Size 64512 B
Detection created Nov 03, 2010
Detection database version 5589
Aliases Backdoor.Win32.LolBot.ou (Kaspersky)
  BackDoor-FAI.trojan (McAfee)
  Worm:Win32/Duptwux.A (Microsoft)
  Win32:Agent-AMMN (Avast)
Short description

Win32/Agent.RTF is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.

Installation

When executed the worm copies itself in the following locations:

  • %temp%\­jre-08tmpuks.exe
  • %programfiles%\­Java\­jre-08\­bin\­jusched.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched8" = "%programfiles%\­Java\­jre-08\­bin\­jusched.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%programfiles%\­Java\­jre-08\­bin\­jusched.exe" = "%programfiles%\­Java\­jre-08\­bin\­jusched.exe:*:Enabled:JavaUpdate8"

The performed command creates an exception in the Windows Firewall.


The worm creates the following files:

  • %programfiles%\­Java\­jre-08\­bin\­UF
Spreading on removable media

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • New Folder .exe
Other information

Win32/Agent.RTF is a worm which tries to download other malware from the Internet.


The worm contains a URL address. It tries to download a file from the address.


The file is stored in the following location:

  • %temp%\­ddd.exe

The file is then executed. The FTP protocol is used.


The worm may delete files stored in the following folders:

  • %windir%\­RTL6987\­
  • %windir%\­RTL6988\­
  • %windir%\­RTL6989\­
  • %windir%\­RTL6990\­
  • %windir%\­RLN06527\­
  • %windir%\­RLN06530\­
  • %programfiles%\­Java\­jre-01\­
  • %programfiles%\­Java\­jre-02\­
  • %programfiles%\­Java\­jre-03\­
  • %programfiles%\­Java\­jre-04\­
  • %programfiles%\­Java\­jre-05\­
  • %programfiles%\­Java\­jre-06\­
  • %programfiles%\­Java\­jre-07\­

The following Registry entries are removed:

  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched]
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched]
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched-]
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched-]
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched_]
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched_]
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched.]
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched.]
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched,]
  • [HKEY_CURRENT_USER\­Microsoft\­Windows\­CurrentVersion\­Run\­SunJavaUpdateSched,]

Please enable Javascript to ensure correct displaying of this content and refresh this page.