Win32/Agent.SFI [Threat Name] go to Threat

Win32/Agent.SFI [Threat Variant Name]

Category trojan
Size 430080 B
Detection created Feb 04, 2011
Detection database version 5847
Aliases Trojan.Win32.Agentb.bufv (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­RunMRU]
    • "MRUList" = ""
Information stealing

The trojan collects various sensitive information.


The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • CPU information
  • amount of operating memory
  • computer IP address
  • external IP address of the network device
  • opened port number
  • default Internet browser
  • URLs visited
  • screenshots
  • Registry entries
  • user domain name

The collected information is stored in the following file:

  • %workingfolder%\­%variable%.nfo

A string with variable content is used instead of %variable% .

Other information

The trojan acquires data and commands from files with specific content.


The malware configuration is passed as command line parameters or read from the file when the malware executable is launched.


Configuration is stored in the following file:

  • %workingfolder%\­config.ins

It can execute the following operations:

  • copy files
  • run executable files
  • obtain the list of shared network folders

Please enable Javascript to ensure correct displaying of this content and refresh this page.