Win32/Agent.XWT [Threat Name] go to Threat

Win32/Agent.XWT [Threat Variant Name]

Category trojan
Size 414456 B
Detection created Mar 22, 2016
Detection database version 13214
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­TMKernelU.dll

The trojan may register itself as a system service using the following name:

  • TMKernelHelpU

This causes the trojan to be executed on every system start.


The trojan may create copies of the following files (source, destination):

  • %currentfolder%\­TMKernel.sys, %system%\­TMKernel.sys
  • %currentfolder%\­TMKernel.sys, %system%\­drivers\­TMKernel.sys

The trojan may install the following system drivers (path, name):

  • %system%\­drivers\­TMKernel.sys, TMKernel

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Class\­{6F425913-B218-4FFB-9188-C356B553BEA0}]
    • "ComDB" = %variable1%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control]
    • "ServicesPipeTimeout" = 60000
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­TMKernel\­Instances]
    • "DefaultInstance" = "0001"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­TMKernel\­Instances\­0001]
    • "Altitude" = "387000"
    • "Flags" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­TMKernelSrv]
    • "UserSID" = "%variable2%"

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • operating system version
  • malware version
  • language settings

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used.


Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The UDP, HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan keeps various information in the following files:

  • %commonappdata%\­Cache\­{CD31F005-B4E0-4798-BD77-7B5E6EB2B287}
  • %commondocuments%\­XMUpdate\­conf.db

Please enable Javascript to ensure correct displaying of this content and refresh this page.