MSIL/Agent.NWI [Threat Name] go to Threat

MSIL/Agent.NWI [Threat Variant Name]

Category trojan
Size 113152 B
Aliases Trojan.Win32.Agent.vefo (Kaspersky)
Short description

MSIL/Agent.NWI is a trojan that installs MSIL/Adware.BHO.B malware.


When executed, the trojan copies itself into the following location:

  • %temp%\­WindowsLiveUpdate.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "WindowsLiveUpdate" = "%temp%\­WindowsLiveUpdate.exe"

The trojan may create the following files:

  • %appdata%\­MCommon\­sites.dat (9275 B)
  • %appdata%\­MCommon\­vinfo.dat (25 B)
  • %appdata%\­Mozilla\­Firefox\­Extensions\­MozillaHotfix\­chrome\­content\­update.js (26112 B)
  • %appdata%\­WinLive\­WinLive.dll (30860 B, MSIL/Adware.BHO.B)

The trojan then removes itself from the computer.

Other information

The trojan may delete the following files:

  • %appdata%\­WinLive\­tcookies.dat
  • %appdata%\­Mozilla\­Firefox\­Extensions\­MozillaHotfix\­tcookies.dat
  • %appdata%\­MCommon\­uinfo.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.