Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Agent.RHT

Aliases:Trojan Horse (Symantec), Generic.dx!tbb trojan (McAfee), Win32.HLLW.Facebook.757 (Dr. Web) 
Type of infiltration:Trojan  
Size:119808 B 
Affected platforms:Microsoft Windows 
Signature database version:5206 (20100618) 

Short description

Win32/Agent.RHT is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:
  • %appdata%%variable1%.exe
The trojan creates the following files:
  • %temp%%variable2%.tmp (174080 B)
  • %temp%%variable3%.tmp (16896 B)
  • %windir%Temp%variable4%.tmp (16896 B)
A string with variable content is used instead of %variable1-4%.

The following file is dropped into the %windir%Tasks folder:
  • systems.job
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "variable1%.exe" = appdata%%variable1%.exe"
This causes the trojan to be executed on every system start.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:
  • firefox.exe
  • iexplore.exe
The trojan collects information used to access the following site:
  • www.facebook.com
The following information is collected:
  • user name
  • passwords
  • e-mail addresses
The trojan can send the information to a remote machine. The trojan contains a list of (1) URLs. The HTTP protocol is used.

The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwarefacebook]
  • [HKEY_CURRENT_USERSoftwaresystems]
The trojan can delete cookies.