Win32/Agent.TJO [Threat Name] go to Threat

Win32/Agent.TJO [Threat Variant Name]

Category trojan
Size 81920 B
Detection created Jan 16, 2012
Detection database version 6799
Aliases Trojan-PSW.Win32.Qbot.aem (Kaspersky)
Short description

Win32/Agent.TJO is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%commonappdata%\­%variable%.exe"

A string with variable content is used instead of %variable% .

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Information stealing

The trojan collects various information related to the operating system.

The collected information is stored in the following files:

  • %commonappdata%\­b333_logs.txt

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan will attempt to download several files from the Internet.

These are stored in the following locations:

  • %commonappdata%\­%variable%32.dll
  • %commonappdata%\­%variable%64.dll

The trojan contains a list of (1) URLs. The HTTP protocol is used.

The trojan can create and run a new thread with its own program code within the following processes:

  • iexplore.exe
  • firefox.exe
  • mozilla.exe

The trojan hooks the following Windows APIs:

  • NtResumeThread (ntdll.dll)
  • ZwResumeThread (ntdll.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.