Win32/Pagun [Threat Name] go to Threat

Win32/Pagun.F [Threat Variant Name]

Category trojan
Size 79904 B
Aliases Backdoor.Win32.Gbot.c (Kaspersky)
  Backdoor.Sdbot (Symantec)
  Backdoor:Win32/Silby (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %system%\­SVC1HOST.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHNE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­App Paths\­msdiag.exe]
    • "(Default)" = "%system%\­SVC1HOST.exe"
  • [HKEY_LOCAL_MACHNE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Diagnostic Tool" = "msdiag.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHNE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Install" = "%variable% (%variable%)"
  • [HKEY_LOCAL_MACHNE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Nick" = "%variable%"

A string with variable content is used instead of %variable% .

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • user name
  • computer IP address
  • locale
  • type of Internet connection
  • hardware information
  • screenshots
  • logged keystrokes
  • data from the clipboard
  • list of active TCP and UDP connections

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan connects to the following addresses:


The IRC protocol is used in the communication.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • execute shell commands
  • log keystrokes
  • capture screenshots
  • perform DoS/DDoS attacks
  • redirect network traffic
  • monitor network traffic
  • send the list of running processes to a remote computer
  • terminate running processes
  • various filesystem operations
  • upload file list
  • send files to a remote computer
  • various Registry operations
  • display a dialog window
  • send spam
  • shut down/restart the computer
  • log off the current user
  • remove itself from the infected computer

The trojan may flood the hard drive drive by copying the file %windir%\explorer.exe into the following locations:

  • C:\­fuck%variable%.exe

A variable numerical value is used instead of %variable% .

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "VirusScanner"

Please enable Javascript to ensure correct displaying of this content and refresh this page.