Win32/Agent.SRV [Threat Name] go to Threat

Win32/Agent.SRV [Threat Variant Name]

Category trojan
Size 6009856 B
Detection created Jun 05, 2011
Detection database version 6181
Aliases Exploit.Win32.BypassUAC.dfh (Kaspersky)
  Trojan:Win32/Skeeyah.A!bit (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %temp%\­%variable1%%variable2%\­test.exe
  • %appdata%\­%variable1%\­%variable1%.exe

The trojan creates the following files:

  • %temp%\­%variable1%%variable2%\­runasti.exe (356864 B, Win32/HackTool.RunAsTI.A)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = ""%appdata%\­%variable1%\­%variable1%.exe" -startup"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Classes\­ms-settings\­shell\­open\­command]
    • "(Default)" = ""%temp%\­%variable1%%variable2%\­runasti.exe" "%temp%\­%variable1%%variable2%\­test.exe -exploit %variable3% %variable4%""
  • [HKEY_CURRENT_USER\­Software\­Classes\­mscfile\­shell\­open\­command]
    • "(Default)" = ""%temp%\­%variable1%%variable2%\­runasti.exe" "%temp%\­%variable1%%variable2%\­test.exe -exploit %variable3% %variable4%""

The trojan executes the following commands:

  • cmd.exe /C CompMgmtLauncher
  • %temp%\­%variable1%%variable2%\­runasti.exe" "%temp%\­%variable1%%variable2%\­test.exe -exploit %variable3% %variable4%
  • cmd.exe /C "netsh advfirewall firewall add rule name="%variable1%" dir=in action=allow program="%appdata%\­%variable1%\­%variable1%.exe" enable=yes"
  • cmd.exe /C "netsh advfirewall firewall add rule name="cloudnet" dir=in action=allow program="%appdata%\­EpicNet Inc\­CloudNet\­cloudnet.exe" enable=yes"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Exclusions\­Paths]
    • "%appdata%\­%variable1%" = 0
    • "%appdata%\­EpicNet Inc\­CloudNet" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows Defender\­Exclusions\­Processes]
    • "%variable1%.exe" = 0
    • "cloudnet.exe" = 0
    • "windefender.exe" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Antimalware\­Exclusions\­Paths]
    • "%appdata%\­%variable1%" = 0
    • "%appdata%\­EpicNet Inc\­CloudNet" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft Antimalware\­Exclusions\­Processes]
    • "%variable1%.exe" = 0
    • "cloudnet.exe" = 0
    • "windefender.exe" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­CloudNet]
    • "DisplayName" = "CloudNet"
    • "Publisher" = "EpicNet Inc"
    • "UninstallString" = ""%appdata%\­%variable1%\­%variable1%.exe" -uninstall"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­TestApp]
    • "Firewall" = "1"
    • "Defender" = "1"
    • "UUID" = %variable5%
    • "CloudnetSource" = %variable6%

A string with variable content is used instead of %variable1-6% .


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­TestApp]

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects various sensitive information.


The trojan collects the following information:

  • malware version
  • user name
  • operating system version
  • information about the operating system and system settings
  • CPU information
  • video controller type
  • installed antivirus software

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • execute shell commands
  • uninstall itself
  • send gathered information

The trojan may attempt to download files from the Internet.


The files are stored in the following locations:

  • %appdata%\­EpicNet Inc\­CloudNet\­cloudnet.exe
  • %appdata%\­%variable1%\­windefender.exe

The files are then executed.


The trojan may display the following dialog windows:

Please enable Javascript to ensure correct displaying of this content and refresh this page.