Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.RFC

Aliases:Trojan-Ransom.Win32.DigiPog.kq (Kaspersky), VirTool:Win32/Obfuscator.FI (Microsoft), Trojan.Winlock.1757 (Dr. Web) 
Type of infiltration:Trojan  
Size:155136 B 
Affected platforms:Microsoft Windows 
Signature database version:5138 (20100522) 

Short description

Win32/Agent.RFC is a trojan that blocks access to the Windows operating system. To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password. When the correct password is entered the trojan removes itself from the computer.

Installation

When executed, the trojan copies itself into the following location:
  • %appdata%%variable1%.exe
The trojan creates the following files:
  • %appdata%%variable1%.ddr
  • %startup%healm_%variable2%.lnk
A string with variable content is used instead of %variable1-2%.

In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "PC Health Status" = "%appdata%%variable1%.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "PC Health Status" = "%appdata%%variable1%.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Internet Settings5.0User AgentPost Platform]
    "0X29A" = ""
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesSystem]
    "DisableTaskMgr" = 0
  • [HKEY_CURRRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesExplorer]
    "NoLogoff" = 1

Other information

Win32/Agent.RFC is a trojan that blocks access to the Windows operating system.

The trojan displays the following dialog box:
screen03.jpg
To regain access to the operating system the user is asked to send an SMS message to a specified telephone number in exchange for a password.

When the correct password is entered the trojan removes itself from the computer.

The password to regain access to the operating system is one of the following:
  • 54891
The following programs are terminated:
  • far.exe
  • taskmgr.exe
  • msconfig.exe
  • procmon.exe
  • regedit.exe
  • taskkill.exe