Win32/Agent.SSA [Threat Name] go to Threat

Win32/Agent.SSA [Threat Variant Name]

Category trojan
Size 654848 B
Detection created Jun 07, 2011
Detection database version 15691
Aliases Backdoor.Win32.Buterat.fmgl (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


The trojan does not create any copies of itself.

The trojan schedules a task that causes the following file to be executed when a user logs in:

  • %malwarefilepath%

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­PerformanceMonitor\­BackgroundService\­%variable1%]
    • "module%variable2%" = %malwaredllfileasbinarydata%

A variable numerical value or a string with variable content is used instead of %variable1-2% .

The trojan may create the following files:

  • %appdata%\­%variable3%.exe

A string with variable content is used instead of %variable3% .

Information stealing

The following information is collected:

  • user name
  • operating system version
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The HTTP protocol is used. The trojan contains a list of (7) URLs.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • install and execute applications
  • create a scheduled task that repeatedly executes the malicious file
  • execute shell commands
  • terminate running processes
  • create Registry entries
  • delete Registry entries
  • delete files
  • rename files

The following programs are terminated:

  • netstat.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.