Win32/Agent.XSD [Threat Name] go to Threat

Win32/Agent.XSD [Threat Variant Name]

Category trojan
Size 1241088 B
Detection created Dec 15, 2015
Detection database version 12725
Aliases Trojan-PSW.Win32.QQGetPass.a (Kaspersky)
  Trojan.DownLoader15.57259 (Dr.Web)
Short description

Win32/Agent.XSD is a trojan that steals sensitive information. The trojan can send the information to a remote machine.


The trojan is probably a part of other malware.

The trojan does not create any copies of itself.

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­AppID\­C4DC1D48-A80B-449A-A446-C5DB33BF4F6C]
    • "(Default)" = "FlowData"

The trojan may create the following files:

  • %temp%\­mydata.dat (684032 B)
  • %temp%\­microsoft helper.exe (384000 B)
  • %variable%.dmp
  • Log_LIUHEN_Info.txt
  • C:\­abc.jpg
  • %temp%\­4d0247073ad01ed10d75f776d62dab75.jpg
  • C:\­92B9EN1S.txt

A string with variable content is used instead of %variable% .

The trojan may execute the following files:

  • %temp%\­mydata.dat
  • %temp%\­microsoft helper.exe
Information stealing

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • computer IP address
  • MAC address
  • cookies

The following services are affected:

  • QQ
  • QZone

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used in the communication.

It can execute the following operations:

  • open a specific URL address
  • simulate user's input (clicks, taps)
  • execute JavaScript code

The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

The trojan injects JavaScript code into web pages visited by the user.

The trojan hooks the following Windows APIs:

  • LoadLibraryExW (kernel32.dll)
  • DirectSoundCreate (dsound.dll)

The trojan sleeps for certain period of time if it detects a running process containing one of the following strings in its name:

  • League of Legends.exe
  • LolClient.exe
  • lol.launcher_tencent.exe
  • war3.exe

The trojan can delete cookies.

The trojan hides its running process.

The trojan may delete the following files:

  • %temp%\­mydata.dat
  • %temp%\­microsoft helper.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.