Win32/Agent.VXU [Threat Name] go to Threat
Win32/Agent.VXU [Threat Variant Name]
Category | trojan |
Size | 305152 B |
Aliases | Win32:HackTool-FX (Avast) |
Short description
Win32/Agent.VXU installs a backdoor that can be controlled remotely.
Installation
When executed, the trojan creates the following files:
- %temp%\Framework.bat (~200 B, Win32/Agent.VXU)
- %temp%\Framework.dll (71168 B, Win32/Agent.VXU)
- %temp%\StartExe.exe (57856 B, Win32/Agent.VXU)
- %temp%\w7e1.tmp (58368 B, Win32/Agent.VXU)
The trojan creates copies of the following files (source, destination):
- %temp%\Framework.dll, C:\windows\system32\Framework.dll
The trojan registers itself as a system service using the following name:
- Framework
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
- "Framework" = "Framework"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Framework]
- "Type" = 32
- "Start" = 2
- "ErrorControl" = 1
- "ImagePath" = "%systemroot%\System32\svchost.exe -k Framework"
- "DisplayName" = "Framework"
- "ObjectName" = "LocalSystem"
- "Description" = "Microsoft NET Framework NGEN"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Framework\Parameters]
- "ServiceDll" = "%systemroot%\system32\Framework.dll"
This causes the trojan to be executed on every system start.
The trojan launches the following processes:
- %temp%\StartExe.exe
- %temp%\Framework.bat
- %system%\cmd.exe
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
After the installation is complete, the trojan deletes the original executable file.
The following files are deleted:
- %temp%\Framework.bat
- %temp%\Framework.dll
- %temp%\StartExe.exe
- %temp%\w7e1.tmp
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The TCP protocol is used.
It can execute the following operations:
- execute shell commands