Win32/Agent.XFW [Threat Name] go to Threat

Win32/Agent.XFW [Threat Variant Name]

Category trojan
Size 281309 B
Detection created Jun 02, 2015
Detection database version 11725
Aliases Trojan:Win32/Xabil.A (Microsoft)
  Backdoor.Emdivi (Symantec)
  Win32:Xabil-A (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using RAR SFX .


When executed, the trojan creates the following files:

  • %temp%\­vmater.exe (228864 B, Win32/Agent.XFV)
  • %temp%\­h260104.xls (143872 B)

The files are then executed.

In order to be executed on every system start, the trojan modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%,%temp%\­vmater.exe,"

The trojan may create the following files:

  • %startup%\­vmater.lnk

The trojan quits immediately if the computer name is one of the following:

  • CWS01_03
  • CWS05D102
  • mip-xp-cht
  • wilbert-SC1508
  • wilbert-SC2202
  • xp-sp3-template

The trojan quits immediately if it detects a window containing one of the following strings in its title:

  • ollydbg
  • Process Explorer
  • Process Hacker
  • Process Monitor
  • SoftICE
  • W32Dasm
  • Wireshark
Information stealing

The trojan collects various sensitive information.

The following information is collected:

  • information about the operating system and system settings
  • amount of operating memory
  • Windows Protected Storage passwords and credentials
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • execute shell commands
  • send requested files
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.