Win32/Agent.THP [Threat Name] go to Threat

Win32/Agent.THP [Threat Variant Name]

Category trojan
Size 38912 B
Detection created Oct 29, 2008
Detection database version 3567
Aliases Trojan:Win32/Gyplit.A (Microsoft)
Short description

Win32/Agent.THP installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %userprofile%\­Application Data\­Microsoft\­Messenger\­SpeechEngines\­xpmsgr.exe (4608 B)
  • %userprofile%\­Cookies\­windch.dat (583 B)
  • %userprofile%\­Local Settings\­Application Data\­Microsoft\­Media Player\­wmpaud1.wav (26926 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "load" = "%userprofile%\­Application Data\­Microsoft\­Messenger\­SpeechEngines\­xpmsgr.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. The HTTP protocol is used.


It may perform the following actions:

  • run executable files
  • send the list of running processes to a remote computer
  • send the list of files on specific drive to a remote computer
  • send result of executed program

Please enable Javascript to ensure correct displaying of this content and refresh this page.