Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.GCI is a trojan which tries to download other malware from the Internet. The file is run-time compressed using PECompact .
Installation
When executed, the trojan copies itself into the following location:
  • %system%\wbem\csrss.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "csrss" = "%system%\wbem\csrss.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings\Zones\3]
    "2500" = 3
Information stealing
The trojan collects the following information:
  • operating system version
  • Internet Explorer version
  • Mozilla Firefox version
  • type of Internet connection
  • current screen resolution
The trojan can send the information to a remote machine.
Other information
The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs.

The trojan tries to download and execute several files from the Internet. The HTTP protocol is used.

These are stored in the following locations:
  • %temp%\x%variable1%.tmp
  • %system%\%variable2%\%filename%
A string with variable content is used instead of %variable1-2%, %filename% .

The trojan creates the following files:
  • %appdata%\n.ini
  • %temp%\temp.bat
  • %system%\c200.bat
  • %system%\n.ini
The following services are disabled:
  • winupdate