Win32/Agent.XWT [Threat Name] go to Threat

Win32/Agent.XWT [Threat Variant Name]

Category	trojan
Size	414456 B

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

When executed, the trojan copies itself into the following location:

The trojan may register itself as a system service using the following name:

This causes the trojan to be executed on every system start.

The trojan may create copies of the following files (source, destination):

The trojan may install the following system drivers (path, name):

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{6F425913-B218-4FFB-9188-C356B553BEA0}]
- "ComDB" = %variable1%
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
- "ServicesPipeTimeout" = 60000
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TMKernel\Instances]
- "DefaultInstance" = "0001"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TMKernel\Instances\0001]
- "Altitude" = "387000"
- "Flags" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TMKernelSrv]
- "UserSID" = "%variable2%"

A string with variable content is used instead of %variable1-2% .

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan contains a URL address. The HTTP protocol is used.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The UDP, HTTP protocol is used in the communication.

It can execute the following operations:

The trojan keeps various information in the following files: