Win32/Agent.VXH [Threat Name] go to Threat

Win32/Agent.VXH [Threat Variant Name]

Category trojan
Size 371172 B
Detection created Apr 25, 2014
Detection database version 9723
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


The trojan quits immediately if it is run within a debugger.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if any of the following applications is detected:

  • Sandboxie
  • WinPcap

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • OLLYDBG
  • PROCEXPL
  • PROCMON_WINDOW_CLASS
  • WinDbgFrameClass
Information stealing

Win32/Agent.VXH is a trojan that steals sensitive information.


The trojan collects the following information:

  • login passwords for certain applications/services
  • login user names for certain applications/services
  • FTP account information
  • user name
  • operating system version
  • information about the operating system and system settings
  • network adapter information
  • CPU information
  • country code
  • memory status
  • proxy server settings

The following programs are affected:

  • FileZilla
  • FlashFXP
  • Internet Explorer
  • Microsoft Outlook
  • Mozilla Firefox

The following services are affected:

  • MSN
  • Protected Storage
  • Windows Live

The trojan is able to log keystrokes.


The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (17) URLs. The trojan generates various IP addresses. The HTTPS protocol is used.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • adobe.com
  • amazon.com
  • bing.com
  • facebook.com
  • google.com
  • signin.ebay.com
  • update.microsoft.com
  • www.linkedin.com
  • www.live.com
  • www.microsoft.com
  • yahoo.com
  • youtube.com

It downloads the other part of the infiltration.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • spread via removable drives
  • capture screenshots
  • run executable files
  • uninstall itself
  • update itself to a newer version

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­Control\­SafeBoot\­Minimal\­WindowsClientServerRunTimeSubsystem]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­Control\­SafeBoot\­Network\­WindowsClientServerRunTimeSubsystem]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­WindowsClientServerRunTimeSubsystem]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­WindowsClientServerRunTimeSubsystem]
    • "(Default)" = "Service"

Instead of %lastknowngood% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Select\­LastKnownGood]

Please enable Javascript to ensure correct displaying of this content and refresh this page.