Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.RAZ

Aliases:Trojan-Downloader.Win32.Agent.dlhc (Kaspersky), Trojan:Win32/Malagent (Microsoft), Generic Downloader.x!dzu (McAfee) 
Type of infiltration:Trojan  
Size:245760 B 
Affected platforms:Microsoft Windows 
Signature database version:5031 (20100415) 

Short description

Win32/Agent.RAZ is a trojan which tries to download other malware from the Internet.

Installation

The trojan creates the following files:
  • %temp%update.tmp
The trojan may create the following files:
  • %system%ipripv6.dll (41472 B)
  • %system%wbemwbmain.dll (37376 B)
  • %appdata%DrWatsonDrWatson.exe (53760 B)
  • %appdata%DrWatsonDrWatson.dll (37376 B)
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Iprip]
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 1
    "ImagePath" = "%systemroot%System32svchost.exe -k
    netsvcs"
    "DisplayName" = "RIP Listener"
    "ObjectName" = "LocalSystem"
    "Description" = "Listens for route updates sent by routers
    that use the Routing Information Protocol version 1
    (RIPv1)"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Iprip]
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 1
    "ImagePath" = "%systemroot%System32svchost.exe -k
    netsvcs"
    "DisplayName" = "RIP Listener"
    "ObjectName" = "LocalSystem"
    "Description" = "Listens for route updates sent by routers
    that use the Routing Information Protocol version 1
    (RIPv1)"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    IpripParameters]
    "ServiceDll" = "%system%ipripv6.dll"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    IpripSecurity]
    "Security" = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00
    00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01
    0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    IpripEnum]
    "0" = "RootLEGACY_IPRIP000"
    "Count" = 1
    "NextInstance" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "ErrorReporter" = "%appdata%DrWatsonDrWatson.exe ::C"
This causes the trojan to be executed on every system start.

The trojan launches the following processes:
  • %appdata%DrWatsonDrWatson.exe

Other information

The trojan creates and runs a new thread with its own program code within the following processes:
  • explorer.exe
  • winlogon.exe
The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of 5 URLs. The HTTP protocol is used in the communication.

The trojan can download and execute a file from the Internet.