Win32/Agent.VXU [Threat Name] go to Threat

Win32/Agent.VXU [Threat Variant Name]

Category trojan
Size 305152 B
Detection created May 06, 2014
Detection database version 9765
Aliases Win32:HackTool-FX (Avast)
Short description

Win32/Agent.VXU installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %temp%\­Framework.bat (~200 B, Win32/Agent.VXU)
  • %temp%\­Framework.dll (71168 B, Win32/Agent.VXU)
  • %temp%\­StartExe.exe (57856 B, Win32/Agent.VXU)
  • %temp%\­w7e1.tmp (58368 B, Win32/Agent.VXU)

The trojan creates copies of the following files (source, destination):

  • %temp%\­Framework.dll, C:\­windows\­system32\­Framework.dll

The trojan registers itself as a system service using the following name:

  • Framework

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "Framework" = "Framework"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­Framework]
    • "Type" = 32
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­svchost.exe -k Framework"
    • "DisplayName" = "Framework"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Microsoft NET Framework NGEN"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­Framework\­Parameters]
    • "ServiceDll" = "%systemroot%\­system32\­Framework.dll"

This causes the trojan to be executed on every system start.


The trojan launches the following processes:

  • %temp%\­StartExe.exe
  • %temp%\­Framework.bat
  • %system%\­cmd.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

After the installation is complete, the trojan deletes the original executable file.


The following files are deleted:

  • %temp%\­Framework.bat
  • %temp%\­Framework.dll
  • %temp%\­StartExe.exe
  • %temp%\­w7e1.tmp
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The TCP protocol is used.


It can execute the following operations:

  • execute shell commands

Please enable Javascript to ensure correct displaying of this content and refresh this page.