Win32/Agent.RXL [Threat Name] go to Threat

Win32/Agent.RXL [Threat Variant Name]

Category trojan
Size 217088 B
Aliases Exploit.Win32.BypassUAC.dah (Kaspersky)
  Trojan.PWS.Stealer.17779 (Dr.Web)
  Backdoor:Win32/Rescoms.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %installfolder%\­%variable1%\­%variable2%

The %installfolder% is one of the following strings:

  • %temp%\­
  • %workingfolder%\­
  • %systemdrive%\­
  • %windir%\­
  • %windir%\­system32\­
  • %windir%\­SysWOW64\­
  • %programfiles%
  • %appdata%
  • %userprofile%
  • %variable3%

A string with variable content is used instead of %variable1-3% .

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "remcos" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "remcos" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe, %malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "C:\­WINDOWS\­system32\­userinit.exe, %malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "remcos" = "%malwarefilepath%"

This causes the trojan to be executed on every system start.

The trojan launches the following processes:

  • %defaultbrowser%
  • %system%\­svchost.exe
  • %windir%\­SysWOW64\­svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.

The trojan may create and run a new thread with its own program code within any running process.

The trojan may create the following files:

  • %workingfolder%\­lic.txt (32 B)
  • %temp%\­install.bat

The trojan may delete the following files:

  • %malwarefilepath%:Zone.Identifier

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects various sensitive information.

The trojan collects the following information:

  • amount of operating memory
  • malware version
  • country
  • webcam video/voice
  • screenshots
  • computer name
  • user name

The trojan is able to log keystrokes.

Trojan may take a picture using infected computer's camera.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The TCP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • send requested files
  • rename files
  • create files
  • create folders
  • delete files
  • open a specific URL address
  • execute shell commands
  • send the list of running processes to a remote computer
  • manipulate application windows
  • display a dialog window
  • show/hide application windows
  • terminate running processes
  • capture screenshots
  • capture webcam video/voice
  • delete cookies
  • uninstall itself
  • update itself to a newer version
  • simulate user's input (clicks, taps)

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­%variable%]

A string with variable content is used instead of %variable% .

Trojan is able to bypass User Account Control (UAC).

The trojan can be used to gain full access to the compromised computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.