Win32/Agent.RZE [Threat Name] go to Threat

Win32/Agent.RZE [Threat Variant Name]

Category trojan,worm
Size 195072 B
Detection created Oct 22, 2010
Detection database version 5555
Aliases Trojan.Win32.Pasta.kri (Kaspersky)
  StartPage-NT.trojan (McAfee)
  Trojan:Win32/Startpage.gen!A (Microsoft)
  Win32:Injector-AVP (Avast)
Short description

Win32/Agent.RZE is a worm that changes the home page of certain web browsers. It is able to spread via removable media.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­csrss.exe
  • %startup%\­csrss.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TINTIMG" = "%appdata%\­csrss.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SuperHidden]
    • "CheckedValue" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "CheckedValue" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SuperHidden]
    • "CheckedValue" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "CheckedValue" = 1
Spreading on removable media

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.


The worm creates copies of the following files (source, destination):

  • %drive%\­%existingfolder%\­*.*, %drive%\­_\­%existingfolder%\­*.*

The worm then deletes source files.

Other information

The worm changes the home page of the following web browsers:

  • Internet Explorer

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://www.114116.info"
    • "Default_Page_URL" = "http://www.114116.info"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://www.114116.info"
    • "Default_Page_URL" = "http://www.114116.info"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­AboutURLs]
    • "blank" = "http://www.114116.info"
    • "Tabs" = "http://www.114116.info"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­AboutURLs]
    • "blank" = "http://www.114116.info"
    • "Tabs" = "http://www.114116.info"

Please enable Javascript to ensure correct displaying of this content and refresh this page.