MSIL/Agent.WI [Threat Name] go to Threat

MSIL/Agent.WI [Threat Variant Name]

Category trojan
Size 1143296 B
Aliases Trojan.DownLoader11.45275 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­Windows\­Sidebar.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "2" = "%appdata%\­Windows\­Sidebar.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "%appdata%\­Windows\­Sidebar.exe,explorer.exe"

The trojan may create the following files:

  • %windir%\­Microsoft.NET\­Framework\­%version%\­RegAsm.exe

The trojan executes the following files:

  • %windir%\­Microsoft.NET\­Framework\­%version%\­RegAsm.exe

A string with variable content is used instead of %version% .

The trojan creates and runs a new thread with its own code within these running processes.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

Configuration is stored in the following file:

  • %malwarefilepath%

The trojan collects information used to access certain sites.

It can execute the following operations:

  • allow remote desktop connections from outside
  • set up a proxy server
  • capture webcam video/voice
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.