Win32/Agent.ZIL [Threat Name] go to Threat

Win32/Agent.ZIL [Threat Variant Name]

Category trojan
Size 438272 B
Detection created Dec 14, 2017
Detection database version 16574
Aliases Trojan-Dropper.Win32.Scrop.kjv (Kaspersky)
  W32.Mandaph (Symantec)
  TR/Drop.Scrop.hctah (Avira)
Short description

The trojan serves as a proxy server. The trojan is usually a part of other malware.

Installation

The trojan searches for files stored in the following folders:

  • %programfiles%
  • %appdata%
  • %localappdata%
  • %anyexistingfolder%

The trojan copies itself to the following locations:

  • %anyexistingfolder%\­%variable1%\­v%variable2%\­%variable3%.exe
  • %temp%\­{%variable4%}\­%variable5%.exe

A string with variable content is used instead of %variable1-5% .


The file name of the newly created file is derived from the original file/folder name.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%anyexistingfolder%\­%variable1%\­v%variable2%\­%variable3%.exe"

The trojan creates the following file:

  • %startup%\­%variable3%.lnk

The file is a shortcut to a malicious file.


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %anyexistingfolder%\­%variable1%\­v%variable2%\­%variable3%.exe

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %temp%\­{%variable4%}\­%variable5%.exe

This causes the trojan to be executed on every system start.


The trojan executes the following files:

  • %system%\­svchost.exe
  • %defaultbrowser%
  • %internetexplorerfilepath%

The trojan creates and runs a new thread with its own code within these running processes.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The HTTP protocol is used in the communication.


The trojan serves as a proxy server.


The trojan hooks the following Windows APIs:

  • NtCreateUserProcess (ntdll.dll)
  • NtWriteVirtualMemory (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.