Win32/TrojanDownloader.Agent.AFD [Threat Name] go to Threat

Win32/TrojanDownloader.Agent.AFD [Threat Variant Name]

Category trojan
Size 729600 B
Detection created Nov 12, 2013
Detection database version 9039
Aliases Win32:Agent-ASGX (Avast)
  TR/Symmi.14078.6 (Avira)
Short description

Win32/TrojanDownloader.Agent.AFD is a trojan which tries to download other malware from the Internet.

Other information

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %workingfolder%\­%variable1%.ini
  • %working_folder%\­%variable1%\­%variable2%.tmp
  • %localappdata%\­Temp\­%variable3%.tmp (419328 B, Win32/TrojanDownloader.Agent.AFD)

A string with variable content is used instead of %variable1-3% .


The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0]
    • "(Default)" = "runtimeLib"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0\­0\­win32]
    • "(Default)" = "%localappdata%\­Temp\­%variable3%.tmp"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\­1.0\­HELPDIR]
    • "(Default)" = "%localappdata%\­Temp"
  • [HKEY_CLASSES_ROOT\­Interface\­{3B3F3AAD-49FF-BFEE-D22869AC4325}]
    • "(Default)" = "IRuntime"
  • [HKEY_CLASSES_ROOT\­Interface\­{3B3F3AAD-49FF-BFEE-D22869AC4325}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_CLASSES_ROOT\­Interface\­{3B3F3AAD-49FF-BFEE-D22869AC4325}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{3B3F3AAD-49FF-BFEE-D22869AC4325}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}]
    • "(Default)" = "IDownloadJob"
  • [HKEY_CLASSES_ROOT\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{19DF2320-6A8A-4942-AC4C-C449949DFC27}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{662CA6E1-37D8-8586-3AC64DF96187}]
    • "(Default)" = "IWaitableTask"
  • [HKEY_CLASSES_ROOT\­Interface\­{662CA6E1-37D8-8586-3AC64DF96187}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{662CA6E1-37D8-8586-3AC64DF96187}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{662CA6E1-37D8-8586-3AC64DF96187}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}]
    • "(Default)" = "IDownloadError"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}]
    • "(Default)" = "IRunningProcess"
  • [HKEY_CLASSES_ROOT\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\­TypeLib]
    • "(Default)" = "{AC329328-7EC4-4C34-B672-0A2B90CB9B00}"
    • "Version" = "1.0"
Information stealing

Win32/TrojanDownloader.Agent.AFD is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • memory status

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (9) URLs. The HTTP protocol is used.


The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.