MSIL/Agent.AY [Threat Name] go to Threat

MSIL/Agent.AY [Threat Variant Name]

Category worm
Size 229376 B
Aliases Trojan.MSIL.Agent.ankf (Kaspersky)
  Worm:MSIL/Mofin.A (Microsoft)
  Infostealer (Symantec)
  MSIL:Agent-ABU (Avast)
Short description

MSIL/Agent.AY is a worm that spreads via removable media.


When executed, the worm copies itself in some of the the following locations:

  • %systemdrive%\­Users\­AppData\­Roaming\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­svchost..exe
  • %systemdrive%\­Documents and Settings\­%username%\­Start Menu\­Programs\­Startup\­svchost..exe
  • %systemdrive%\­Users\­%username%\­Documents\­suchost..exe
  • %systemdrive%\­Windows\­system\­suchost..exe

This causes the worm to be executed on every system start.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • movies.exe

The worm copies itself into existing folders of removable drives.

The name of the file may be based on the name of an existing file or folder.

Information stealing

MSIL/Agent.AY is a worm that steals sensitive information.

The worm collects the following information:

  • file(s) content
  • network adapter information

The worm searches local drives for files with the following file extensions:

  • .doc
  • .xlsx
  • .xls
  • .docx
  • .pdf

The worm attempts to send the found files to a remote machine.

The worm sends the information via e-mail.

Other information

The worm keeps various information in the following files:

  • %systemdrive%\­Users\­Public\­Documents\­wsystem.vx
  • %systemdrive%\­Windows\­system\­wsystem.vx

Worm requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.