Win32/Agent.VNC [Threat Name] go to Threat

Win32/Agent.VNC [Threat Variant Name]

Category trojan
Size 438272 B
Detection created Jan 16, 2014
Detection database version 10189
Aliases TrojanSpy:Win32/Nivdort.Z (Microsoft)
Short description

Win32/Agent.VNC is a trojan which tries to download other malware from the Internet.


When executed the trojan copies itself in the following locations:

  • %appdata%\­hohjyzailmq\­lhajawqat.exe
  • %appdata%\­hohjyzailmq\­ciwoylhmcdp.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TPM Shell Isolation Print Performance Protection" = "%appdata%\­hohjyzailmq\­lhajawqat.exe"

The following file is dropped:

  • %appdata%\­hohjyzailmq\­lhajawqat.cwj

The trojan executes the following files:

  • %appdata%\­hohjyzailmq\­ciwoylhmcdp.exe
Other information

The trojan generates various URL addresses.

It tries to download a file from the addresses.

The file is stored in the following location:

  • %appdata%\­hohjyzailmq\­pfmj%variable%dmjz.exe

The HTTP protocol is used. The file is then executed.

A string with variable content is used instead of %variable% .

The trojan may terminate specific running processes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.