Win32/Agent.USR [Threat Name] go to Threat

Win32/Agent.USR [Threat Variant Name]

Category trojan
Size 89088 B
Detection created Apr 29, 2013
Detection database version 8278
Aliases Trojan.Win32.Crypt.pek (Kaspersky)
  Trojan:Win32/Alureon.GQ (Microsoft)
  Win32:Downloader-TNW (Avast)
Short description

Win32/Agent.USR is a trojan which tries to download other malware from the Internet. The file is run-time compressed using XPACK .

Installation

The trojan is probably a part of other malware.


When executed, the trojan copies itself into the following location:

  • %temp%\­%variable1%\­%variable2%\­wow.dll

A string with variable content is used instead of %variable1-2% .


The trojan may create the following files:

  • %temp%\­%variable1%\­%vairable2%\­wow64.dll (2560 B, Win54/Olmarik.BD)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{fbeb8a05-beee-4442-804e-409d6c4515e9}]
    • "InProcServer32" = "%temp%\­%variable1%\­%variable2%\­wow.dll"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{fbeb8a05-beee-4442-804e-409d6c4515e9}]
    • "InProcServer32" = "%temp%\­%variable1%\­%variable2%\­wow64.dll"

Malicious code is executed every time an infected DLL is loaded.


The trojan launches the following processes:

  • svchost.exe -k netsvcs

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan may execute the following commands:

  • rundll32.exe %temp%\­%variable1%\­%variable2%\­wow64.dll, 0

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/Agent.USR is a trojan which tries to download other malware from the Internet.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • google.com:80

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.