MSIL/PSW.Agent.NKG [Threat Name] go to Threat

MSIL/PSW.Agent.NKG [Threat Variant Name]

Category trojan
Size 52224 B
Aliases Trojan.Win32.Jorik.IRCbot.bog (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
  PSW.ILUSpy.trojan (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself in some of the the following locations:

  • %windows%\­%variable1%
  • %windows%\­System32\­%variable1%
  • %temp%\­%variable1%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%malwarefilepath%"

A string with variable content is used instead of %variable1-2% .

After the installation is complete, the trojan deletes the original executable file.

Information stealing

MSIL/PSW.Agent.NKG is a trojan that steals sensitive information.

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • computer name
  • user name
  • operating system version
  • computer IP address
  • CPU information

The following programs are affected:

  • Mozilla Firefox
  • FileZilla
  • No-IP
  • DynDNS
  • IMVU
  • Pidgin

The trojan attempts to send gathered information to a remote machine.

Short description

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The IRC protocol is used.

It can execute the following operations:

  • stop itself for a certain time period
  • uninstall itself
  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • send the list of disk devices and their type to a remote computer
  • send the list of running processes to a remote computer
  • send the list of files on a specific drive to a remote computer
  • create folders
  • delete folders
  • move files
  • delete files
  • terminate running processes

The trojan executes the following command:

  • netsh firewall set opmode disable

This disables the Windows Firewall service.

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.