Win32/Agent.ZEA [Threat Name] go to Threat

Win32/Agent.ZEA [Threat Variant Name]

Category trojan
Size 2160516 B
Detection created Sep 13, 2017
Detection database version 16078
Short description

Win32/Agent.ZEA is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %systemdrive%\­Documents and Settings\­All Users\­DRM\­srnss.exe
  • %systemdrive%\­Users\­%username%\­AppData\­Local\­Temp\­srnss.exe
Other information

The trojan contains a list of URLs.


It tries to download several files from the addresses. The HTTP protocol is used in the communication.


These are stored in the following locations:

  • %systemdrive%\­Documents and Settings\­All Users\­DRM\­%filename%
  • %systemdrive%\­Users\­%username%\­AppData\­Local\­Temp\­%filename%

A string with variable content is used instead of %filename% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe, %downloadedfilepath%"

The trojan keeps various information in the following files:

  • %systemdrive%\­Documents and Settings\­All Users\­DRM\­frfn.db
  • %systemdrive%\­Users\­%username%\­AppData\­Local\­Temp\­frfn.db

Please enable Javascript to ensure correct displaying of this content and refresh this page.