Win32/Agent.WBI [Threat Name] go to Threat

Win32/Agent.WBI [Threat Variant Name]

Category trojan
Size 54784 B
Detection created Jun 16, 2014
Detection database version 9954
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.


The trojan does not create any copies of itself.

The trojan registers itself as a system service using the following name:

  • %variable%

This causes the trojan to be executed on every system start.

Instead of %variable% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost\­netsvcs]
Information stealing

Win32/Agent.WBI is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • MAC address
  • operating system version
  • information about the operating system and system settings
  • CPU information
  • amount of operating memory
  • network adapter information
  • volume serial number
  • BIOS version
  • a list of recently visited URLs

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) IP addresses. The TCP protocol is used in the communication.

It downloads the other part of the infiltration.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • shut down/restart the computer
  • create Registry entries
  • send gathered information
  • various Registry operations
  • delete Registry entries
  • log keystrokes
  • capture screenshots
  • create files
  • create folders
  • delete folders
  • delete files
  • copy files
  • move files
  • send requested files
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • send the list of running processes to a remote computer
  • set file attributes
  • send gathered information

The trojan keeps various information in the following Registry keys:

  • [HKEY_USERS\­.DEFAULT\­Plugin]

The trojan hooks the following Windows APIs:

  • GetModuleFileNameW (kernel32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.