MSIL/Agent.AV [Threat Name] go to Threat

MSIL/Agent.AV [Threat Variant Name]

Category worm
Size 22016 B
Short description

MSIL/Agent.AV is a worm which tries to download other malware from the Internet.


When executed the worm copies itself in the following locations:

  • %appdata%\­lWyWpByYuAxScAkJuTlKxHbLuAcJlCsJpJoXiYlFgHnPaAaQgVqNkXuUyPhLsWlCoNmKbWcB.exe
  • %userprofile%\­Start Menu\­Programsexplorer.exe
  • C:\­%malwarefilename%

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender" = "%appdata%\­lWyWpByYuAxScAkJuTlKxHbLuAcJlCsJpJoXiYlFgHnPaAaQgVqNkXuUyPhLsWlCoNmKbWcB.exe"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • JlAvZ.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

The worm creates the following files:

  • %variable%.lnk

A string with variable content is used instead of %variable% .

The name of the file may be based on the name of an existing file or folder.

The file is a shortcut to a malicious file.

Other information

The worm contains an URL address.

It tries to download a file from the address.

The file is stored in the following location:

  • %temp%\­uLcVeAoWkMuUiN.exe

The file is then executed. The HTTP protocol is used.

The worm may display the following message:

  • This Program Has Known Compaitablility Issues In Sandboxie. Please Run It Normally. The Application Will Now Close. Thankyou.

Please enable Javascript to ensure correct displaying of this content and refresh this page.