Win32/Agent.SLM [Threat Name] go to Threat

Win32/Agent.SLM [Threat Variant Name]

Category trojan
Size 877056 B
Detection created Apr 12, 2011
Detection database version 6036
Short description

Win32/Agent.SLM serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan is probably a part of other malware.


The trojan registers itself as a system service with variable name.


The trojan may create the following files:

  • %temp%\­myu.tmp
  • %appdata%\­wins.tmp
Information stealing

The trojan collects the following information:

  • operating system version
  • CPU information
  • list of disk devices and their type
  • list of running processes
  • list of files/folders on a specific drive

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The SSL, TLS protocol is used in the communication.


It may perform the following actions:

  • execute shell commands
  • create folders
  • delete folders
  • send files to a remote computer
  • modify content of the files
  • move files
  • delete files
  • terminate running processes
  • shut down/restart the computer

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­upnphost]
    • "ErrorActions" = %variable%
    • "TimeActions" = %variable%

A string with variable content is used instead of %variable% .


Please enable Javascript to ensure correct displaying of this content and refresh this page.