Win32/Agent.WBI [Threat Name] go to Threat
Win32/Agent.WBI [Threat Variant Name]
| Category | trojan |
| Size | 54784 B |
| Detection created | Jun 16, 2014 |
| Detection database version | 9954 |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.
Installation
The trojan does not create any copies of itself.
The trojan registers itself as a system service using the following name:
- %variable%
This causes the trojan to be executed on every system start.
Instead of %variable% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
Information stealing
Win32/Agent.WBI is a trojan that steals sensitive information.
The trojan collects the following information:
- computer name
- MAC address
- operating system version
- information about the operating system and system settings
- CPU information
- amount of operating memory
- network adapter information
- volume serial number
- BIOS version
- a list of recently visited URLs
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) IP addresses. The TCP protocol is used in the communication.
It downloads the other part of the infiltration.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- uninstall itself
- shut down/restart the computer
- create Registry entries
- send gathered information
- various Registry operations
- delete Registry entries
- log keystrokes
- capture screenshots
- create files
- create folders
- delete folders
- delete files
- copy files
- move files
- send requested files
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- send the list of running processes to a remote computer
- set file attributes
- send gathered information
The trojan keeps various information in the following Registry keys:
- [HKEY_USERS\.DEFAULT\Plugin]
- [HKEY_USERS\.DEFAULT]
The trojan hooks the following Windows APIs:
- GetModuleFileNameW (kernel32.dll)