Win32/Agent.YCZ [Threat Name] go to Threat

Win32/Agent.YCZ [Threat Variant Name]

Category trojan
Size 791040 B
Detection created Jul 12, 2016
Detection database version 13792
Aliases Trojan-Dropper.Win32.Sysn.bpdq (Kaspersky)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

The trojan is designed to artificially generate traffic to certain Internet sites. The trojan is probably a part of other malware.


When executed, the trojan copies itself into the following location:

  • %localappdata%\­Microsoft\­Protect\­protecthost.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft system protection service" = "rundll32.exe "%localappdata%\­Microsoft\­Protect\­protecthost.dll",DllInstall"

The trojan launches the following processes:

  • rundll32.exe "%localappdata%\­Microsoft\­Protect\­protecthost.dll",DllInstall
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (6) URLs. The HTTP protocol is used.

It can execute the following operations:

  • visit a specific website

The trojan attempts to bruteforce login credentials.

Username and password combination list it received from C&C malware server.

The trojan keeps various information in the following files:

  • %localappdata%\­SysHashTable\­SysHashInfo.db

Please enable Javascript to ensure correct displaying of this content and refresh this page.