Win32/Agent.WJS [Threat Name] go to Threat

Win32/Agent.WJS [Threat Variant Name]

Category trojan
Size 303104 B
Detection created Oct 09, 2014
Detection database version 10538
Aliases Trojan:Win32/Dynamer!ac (Microsoft)
  Downloader.MisleadApp (Symantec)
Short description

Win32/Agent.WJS is a trojan that steals various files. The trojan attempts to send gathered information to a remote machine. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "VisualGraphicsToolsAdapter"="%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "VisualGraphicsToolsAdapter"="%malwarefilepath%"

The trojan may create the following files:

  • %currentfolder%\­VST.dat
  • %currentfolder%\­VSTAHostCtr.dat
  • %currentfolder%\­winsys32.dat
  • %currentfolder%\­winsys64.dat
  • %currentfolder%\­%variable1%
  • %currentfolder%\­VSTAHost\­%variable2%.dat

A string with variable content is used instead of %variable1-2% .


The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Information stealing

The following information is collected:

  • user name
  • computer name
  • operating system version

The trojan searches local drives for files with the following file extensions:

  • *.doc*
  • *.ppt*
  • *.xls*
  • *.mdb*

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (20) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.