Win32/Agent.ZIL [Threat Name] go to Threat
Win32/Agent.ZIL [Threat Variant Name]
Category | trojan |
Size | 438272 B |
Detection created | Dec 14, 2017 |
Detection database version | 16574 |
Aliases | Trojan-Dropper.Win32.Scrop.kjv (Kaspersky) |
W32.Mandaph (Symantec) | |
TR/Drop.Scrop.hctah (Avira) |
Short description
The trojan serves as a proxy server. The trojan is usually a part of other malware.
Installation
The trojan searches for files stored in the following folders:
- %programfiles%
- %appdata%
- %localappdata%
- %anyexistingfolder%
The trojan copies itself to the following locations:
- %anyexistingfolder%\%variable1%\v%variable2%\%variable3%.exe
- %temp%\{%variable4%}\%variable5%.exe
A string with variable content is used instead of %variable1-5% .
The file name of the newly created file is derived from the original file/folder name.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable3%" = "%anyexistingfolder%\%variable1%\v%variable2%\%variable3%.exe"
The trojan creates the following file:
- %startup%\%variable3%.lnk
The file is a shortcut to a malicious file.
The trojan schedules a task that causes the following file to be executed repeatedly:
- %anyexistingfolder%\%variable1%\v%variable2%\%variable3%.exe
The trojan schedules a task that causes the following file to be executed repeatedly:
- %temp%\{%variable4%}\%variable5%.exe
This causes the trojan to be executed on every system start.
The trojan executes the following files:
- %system%\svchost.exe
- %defaultbrowser%
- %internetexplorerfilepath%
The trojan creates and runs a new thread with its own code within these running processes.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.
The trojan serves as a proxy server.
The trojan hooks the following Windows APIs:
- NtCreateUserProcess (ntdll.dll)
- NtWriteVirtualMemory (ntdll.dll)