Win32/Exploit.Agent.N [Threat Name] go to Threat

Win32/Exploit.Agent.N [Threat Variant Name]

Category trojan
Size 446882 B
Aliases (Kaspersky)
  Exploit-CVE2012-0158!rtf.trojan (McAfee)
Short description

Win32/Exploit.Agent.N is a trojan that installs Win32/Spy.Zbot.AAU malware.


The trojan does not create any copies of itself.

Other information

The trojan contains a URL address. It tries to download a file from the address.

The file is saved to one of the following folders:

  • %temp%\­..\­Microsoft\­Windows\­
  • %temp%\­..\­Application Data\­Microsoft\­Windows\­
  • %temp%\­

The following filename is used:

  • spoolsv.exe (651776 B, Win32/Spy.Zbot.AAU)

The file is then executed. The HTTP protocol is used in the communication.

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Office\­%variable%.0\­Word\­Resiliency\­DisabledItems]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Office\­%variable%.0\­Word\­Resiliency\­StartupItems]

A variable numerical value is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.