Win32/Agent.WCR [Threat Name] go to Threat

Win32/Agent.WCR [Threat Variant Name]

Category trojan
Size 155093 B
Detection created Jul 09, 2014
Detection database version 10069
Aliases Backdoor.Win32.Agent.dgwx (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­HTML Help\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "AdobeReaderUpd" = "%appdata%\­Microsoft\­HTML Help\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Intel Software Manager" = "%appdata%\­Microsoft\­HTML Help\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Update" = "%appdata%\­Microsoft\­HTML Help\­%variable%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Java(TM) Update Scheduler" = "%appdata%\­Microsoft\­HTML Help\­%variable%.exe"

The trojan can create and run a new thread with its own program code within the following processes:

  • %systemx86%\­lsass.exe
  • %systemx86%\­dllhost.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • network adapter information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It uses its own P2P network for communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • execute shell commands
  • send files to a remote computer
  • send gathered information

The trojan can modify the following files:

  • %commonstartup%\­*.lnk
  • %startup%\­*.lnk
  • %desktop%\­*.lnk
  • %appdata%\­Microsoft\­Internet Explorer\­Quick Launch\­*.lnk

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Intel]
    • "fwKs1He4" = %data%

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%systemx86%\­%variable%" = "%systemx86%\­%variable%:*:enabled:@xpsp2res.dll,-22017"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­DomainProfile\­AuthorizedApplications\­List]
    • "%systemx86%\­%variable%" = "%systemx86%\­%variable%:*:enabled:@xpsp2res.dll,-22017"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%systemx86%\­%variable%" = "%systemx86%\­%variable%:*:enabled:@xpsp2res.dll,-22017"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­DomainProfile\­AuthorizedApplications\­List]
    • "%systemx86%\­%variable%" = "%systemx86%\­%variable%:*:enabled:@xpsp2res.dll,-22017"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­services\­SharedAccess\­Parameters\­FirewallPolicy\­FirewallRules]
    • "WinUpdate-DPT-In" = "v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|App=%systemx86%\­%variable%|Name=Windows Update|"
    • "WinUpdate-DPU-In" = "v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|App=%systemx86%\­%variable%|Name=Windows Update|"
    • "WinUpdate-DPT-Out" = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=%systemx86%\­%variable%|Name=Windows Update|"
    • "WinUpdate-DPU-Out" = "v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=%systemx86%\­%variable%|Name=Windows Update|"

The %variable% is one of the following strings:

  • lsass.exe
  • dllhost.exe

The trojan hooks the following Windows APIs:

  • CreateProcessW (kernel32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.